68%  lower  TCO 
An  investment 
worth  making. 

HP  BtadeSystem  pays  you  back  in  just 
oner  7  months.* 

The  data  center  used  to  be  a  cost  center.  Not  anymore.  HP  ProLiant 
Gen8  server  blades  solve  the  problem  of  costs  and  complexity  with 
built-in  intelligence,  integrated  efficiencies,  and  ultrahigh  availability — 
all  in  a  blade  that  delivers  TCO  that  gets  better  and  better  every  day. 

The  power  of  HP  Converged  Infrastructure  is  here. 

Get  the  IDC  white  paper  Business  Value  of  Blade  Infrastructures 

at  Hp.com/servers/BladeSystem3  or  scan  the  QR  code  below. 


* 


HP  BladeSystem  with  HP  ProLiant  BL460c  Gen8  servers  powered 
by  the  Intel®  Xeon®  processor  E5-2600  series  and  HP  BladeSystem 
with  HP  ProLiant  BL660c  Gen8  servers  powered  by  the  Intel®  Xeon® 
processor  E5-4600  series 


•For  details  on  claim  substantiations,  visit  hp  com/servers/BladeSystem3 

©  Copyright  201 3  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice.  The  only  warranties  for  HP  products  and  services  are  set  forth  in  the  express  warranty 
statements  accompanying  such  products  and  services.  Nothing  herein  should  be  construed  as  constituting  an  additional  warranty.  HP  shall  not  be  liable  for  technical  or  editorial  errors  or  omissions  contained  herein. 

Intel,  the  Intel  logo.  Xeon,  and  Xeon  Inside  aie  tiademarks  ot  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries. 


COVER  ILLUSTRATION:  JEFFREY  SMITH 


FROM  THE  EDITOR  JOHN  DIX 


SDN  coming . . .  soon 


oftware  defined  networking  was  a  hot  topic  at 
the  recent  Interop  conference  in  Las  Vegas,  where 
enthusiasm  for  the  emerging  technology  overpow¬ 
ered  any  lingering  doubts. 

|  Bob  Muglia,  executive  vice  president  of  Juniper’s  Software  Solu- 
I  tions  Division,  got  a  laugh  from  the  audience  when  he  opened  his 
keynote  with  a  movie  trailer  about  the 
pending  arrival  of  SDN.  “SDN  is  coming,”  a 
booming  voice  said  as  dramatic  images  flashed  by,  “some¬ 
time  in  2013,  maybe  2014 ...  or  2015.”  But  then  Muglia 
went  on  to  say  that  Juniper  is  actually  going  to  deliver  its 
SDN  controller  later  this  year,  months  ahead  of  schedule. 

Juniper  is  advocating  an  SDN  overlay  approach, 
where  its  box  will  control  virtual  end  points  and  con¬ 
nections  among  them  will  be  tunneled  across  existing 
infrastructure.  SDN  will  not  require  a  forklift  upgrade, 

Muglia  said.  Control  of  physical  devices  will  be  achieved  by  federating  controllers 
with  other  devices  using  BGP,  and  service  chaining  will  allow  users  to  introduce 
services  (say  firewalling)  anywhere  in  the  various  paths. 

Muglia  predicted  SDN  is  coming  this  year  for  a  small  set  of  early  adopters  (see 
our  new  special  report  “Understanding  SDN,”  at  tinyurl.com/bnttcvo).  In  fact,  the 
question  of  timing  came  up  often  at  the  show,  eliciting  a  range  of  predictions. 

Not  surprisingly,  backers  are  bullish.  David  Hawley,  HP’s  global  product  line 
manager  responsible  for  the  company’s  SDN  portfolio,  said  in  one  session  that  HP 
has  “lots  of  proof  of  concepts  going  and  many  customers  running  in  production.” 

Marc  Cohn,  chairman  of  the  Open  Networking  Foundation’s  Market  Education 
Committee,  pointed  out  that  the  ONF  member  ranks  swelled  to  90  last  year  and 
vendors  introduced  60  OpenFlow-enabled  products  and  shipped  some  30  million 
OpenFlow  capable  ports.  (The  ONF  is  the  group  that  standardized  OpenFlow  as  the 
protocol  for  SDN  controllers  to  command  ONF-enabled  data  handling  devices.) 

Gregory  Bell,  senior  systems  engineer  at  Ballarat  Grammar,  a  school  in  Austra¬ 
lia,  is  an  early  user  of  HP  SDN  products  and,  in  a  panel  discussion  with  other  SDN 
users,  said  he  has  already  reached  the  point  where  he  wouldn’t  buy  any  infrastruc¬ 
ture  that  wasn’t  OpenFlow  capable. 

But  fellow  panelist  Igor  Gashinsky,  a  distinguished  architect  at  Yahoo,  leaned  in 
the  other  direction.  While  Yahoo  has  found  some  limited  uses  for  SDN,  he  doesn’t 
think  the  technology  is  ready  for  wide  adoption,  although  he  suggests  that  every¬ 
one  should  be  conducting  tests. 

One  worrying  sign?  Jim  Metzler,  vice  president  of  Ashton  Metzler  &  Associates, 
who  was  leading  a  workshop  on  SDN,  asked  the  audience  how  many  of  their  orga¬ 
nizations  had  plans  to  contend  with  infrastructure  change.  As  you  would  guess, 
the  bulk  raised  their  hands.  Then  he  asked  how  many  companies  have  plans  for 
how  the  IT  organization  will  change  in  kind.  Only  a  handful  waved. 

SDN  promises  to  usher  in  a  lot  of  infrastructure  change,  and  companies  need  to 
start  thinking  through  the  organizational  implications. 
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400G:  a  colossal  amount  of  traffic 

©  SINCE  THERE  HASN’T  been  significant 
improvement  in  silicon  chips  lately,  there 
is  no  reason  to  find  some  competitor 
with  a  terrific  potential  for  the  next  five 
years.  Further,  who  really  needs  40G  or 
100G  ?  Next  step  is  supposed  to  be  400G! 
(Re:  “100G,  SDN  leaving  older  switches 
behind”;  tinyurl.com/bynplyd) 

It’s  like  a  Ferrari  FI,  finely  tuned  for  a 
specific  race.  Do  you  really  believe  that  in 
five  years  such  a  car  could  compete  with 
brand-new  ones  with  more  horsepower? 
At  such  speed,  you  have  to  create  some¬ 
thing  new  and  innovative  to  absorb  this 
colossal  amount  of  traffic  unless  you  get 
some  reduction  factor  huge  enough  to  put 
some  400G  ASIC  on  a  few  micrometers. 

patrice  valentin 

University  vs.  vocational  training 

©  WHEN  DID  WE  start  thinking  of  univer¬ 
sities  as  vocational  schools?  If  we  want 
to  “train  our  testers,”  then  send  them  to  a 
vocational  school  offering  software  test¬ 
ing  training.  Universities  are  for  learning 
how  to  learn  —  they  are  not  a  training 
ground  for  jobs  (Re:  “Let’s  train  our 
testers  early  by  offering  college  majors  in 
software  testing”;  tinyurl.com/axeq3hp). 

While  I’m  fully  behind  teaching  more 
testing  concepts  (or 
learning  how  to  learn 
about  testing)  in 
universities,  I  disagree 
that  testing  should  be  a 
degree  program. 

AlanPage 

Managing  mobile 
not  'all  or  nothing' 

G  PART  OF  THE  prob¬ 
lem  with  managing 
mobility  is  that  people 
seem  to  think  there  is  a 
single  “best”  answer  for  every  company’s 
needs.  Why  can’t  BYOD  itself  be  good  for 
some  companies  and  bad  for  others?  Why 
can’t  MDM  be  suitable  in  some  instances, 
while  others  require  MAM?  (Re:  “Pretty 
much  everybody  still  confused  by  mobile 
management”;  tinyurl.com/bxeeoSr) 

Part  of  the  confusion  is  a  result  of  the 
assumption  that  there  is  a  single  perfect 
solution  that  addresses  all  needs.  Too 
many  people  think  BYOD  has  to  be  an 
all-or-nothing  proposition. 

DwightDavis 


Windows  8  math  doesn't  add  up 

©THIS  IS  LIKE  saying, “Pepsi sold  100 
million  cans  of  cola,  but  how  many  have 
actually  been  drunk?”  100  million 
licenses  is  a  big  number,  and  60  million  in 
use  is  a  big  number  (Re:  “Windows  8: 100 
million  licenses  sold,  but  how  many  in 
use?”  tinyurl.com/aur7sdc). 

If  Google  had  moved  60  million 
Chromebooks  over  the  past  two  years  the 
tech  media  would  be  saying  it  was  well 
on  its  way  to  replacing  Windows  entirely. 
Microsoft  moved  more  than  that  in  just 
six  months.  Why  the  different  standard? 

justd80010 

Twitter  users  are  what's  broken 

©  TWITTER  ISN’T  BROKEN  -  the  users 
are,  and  always  will  be.  While  the  secu¬ 
rity  could  be  improved,  the  only  way  to 
get  rid  of  false  information  is  to  get  rid 
of  the  users.  Voting?  That  just  becomes 
a  popularity  contest  which  typically  has 
little  to  do  with  truth  (Re:  “Is  Twitter 
broken?”  tinyurl.com/bvr8vor). 

The  best  hope  for  accurate  information 
is  a  combination  of  old- school  journalism 
and  vetting  where  those  involved  have 
their  professional  reputation  on  the  line. 

Steve  Wilkinson 

SDN's  real  value 

©THE  GREAT  HOPE  is 

that  SDN  moves  all  the 
intelligence  from  the 
network  into  the  soft¬ 
ware  layer  and  out  of 
the  hardware.  However, 
you  still  need  intel¬ 
ligence  in  the  hardware 
layer.  And  when 
you  have  provided 
actionable  info  via  the 
software  layer,  you  still 
need  hardware  that’s 
capable  of  doing  something  with  it  (Re: 
‘Commodity  hardware  will  be  hallmark 
of  SDN  networks”;  tinyurl.com/cwjvh5b). 

The  market  is  littered  with  “com¬ 
modity”  boxes  that  can’t  do  anything  to 
the  traffic  flowing  through  them  either 
because  if  they  do  they  nearly  collapse,  or 
because  the  chips  simply  don’t  offer  that 
capability.  The  value  of  an  SDN  is  provid¬ 
ing  a  common  platform  that  will  allow 
you  to  extract  and  act  on  the  value  your 
switches  deliver,  regardless  of  vendor. 

sheep!451 
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Google  CEO 
on  innovation: 
‘We’re  at  1%  of 
what’s  possible’ 

WHEN  GOOGLE  CEO  Larry  Page 
took  the  stage  at  Google  I/O,  he 
didn’t  pitch  products,  but  was 
more  philosophical,  talking  about 
innovation,  negativity  and  the  future 
of  technology.  "Today,  we're  still 
just  scratching  the  surface,"  said 
Page,  who  is  dealing  with  a  scratchy 
voice  caused  by  vocal  cord  paralysis.  “Google  is  working  on  so 
many  innovations.  I  got  goose  bumps  about  it.”  The  company 
used  its  Google  I/O  developer  conference  to  unveil  41  updates 
and  additions  to  its  social  network,  Google+,  and  to  show  off  a 
new  look  and  feel  for  Google  Maps,  a  new  subscription  music 
service  and  new  APIs,  tinyurl.com/at2a3w9 
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Mozilla  to  Firef  ox: 
‘Browser,  heal 
thyself’ 

MOZILLA  HAS  added  more 
social  media  connections  to 
Firefox  21,  tweaked  the  Do  Not 
Track  privacy  setting,  and  rolled 
out  a  new  tool  that,  long  term, 
aims  to  create  a  self-healing 
browser.  A  new  feature  called 
Firefox  Health  Report  (FHR) 
collects  information  —  speed 
of  startup,  number  of  crashes, 
number  of  add-ons  and  plug-ins 
—  and  displays  the  data  to  give 
users  a  better  understanding  of 
Firefox’s  performance.  FHR  is 
in  its  early  stages,  but  Mozilla 


has  ambitious  plans  for  the 
tool.  “In  many  cases,  we  will  be 
able  to  detect  [problems]  before 
they  get  out  of  hand,  and  your 
browser  can  start  healing  itself,” 
said  Johnathan  Nightingale, 
Mozilla’s  vice  president  of 
Firefox  engineering.  On  the 
social  media  front,  Firefox  21  can 
now  display  sidebars  to  show 
updates  from  Cliqz  (a  German- 
based  news  aggregator),  Mixi 
(Japanese  social  media  network) 
and  msnNOW  (Microsoft- 
owned  news  aggregator)  using 
its  Social  API.  Mozilla  also 
patched  15  vulnerabilities. 
tinyurl.com/aeuxfyp 


VMware  delivers 

smartphone 

separation 

WANT  TO  keep  corporate  data 
separate  from  personal  content 
on  employee  smartphones? 
VMware’s  dual  persona 
software  is  now  available 
on  some  Android  OS-based 
mobile  devices  sold  by  Verizon, 
including  the  LG  Intuition  and 
Motorola  Razr  M.  VMware’s 
new  Horizon  Mobile  applica¬ 
tion  creates  a  separate  container 
for  corporate  content  and  helps 
preserve  the  privacy  of  any  per¬ 
sonal  information  on  the  same 
device.  A  server  on  the  back  end 
recognizes  when  an  authorized 
users  logs  in,  and  a  pre-config- 
ured  Android  OS  instance  (with 
all  the  work  apps)  is  pushed  to 
the  smartphone.  If  an  employee 
tries  to  transfer  data  or  apps 
between  a  corporate  instance 
and  a  private  instance,  the  trans¬ 
fer  is  automatically  blocked. 
VMware  Horizon  Mobile  is 
available  now  with  perpetual 
licensing  starting  at  $125  per 
user,  tinyurl.com/a23c9z9 

New  York  calls  on 
phone  makers  to 
help  deter  theft 

THE  NEW  York  state  attorney 
general  has  sent  letters  to  the 
chief  executives  of  Apple, 
Microsoft,  Google  and  Samsung 
asking  them 
for  help  in 
combating 
cellphone  theft 
and  hinting  he 
may  pursue 
legal  action 
if  they  don’t 
cooperate.  “I 
would  like  to 
know  what 
Apple  is  doing 
to  combat  this 


Google  goes 
nuts  at  I/O 
with  updates, 


Developers  looking  to  hear 
the  latest  from  Google  at 
the  start  of  I/O  had  a  lot 
of  information  to  digest: 
more  than  40  updates 
in  Google+,  alone.  Yet 
the  dev-heavy  keynote 
presented  a  change  they 
seemed  to  approve  of. 
tinyurl.com/anba9ez 


growing  public  safety  problem,” 
New  York  Attorney  General 
Eric  T.  Schneiderman  said  in  his 
letter  to  Apple.  He  asks  the  same 
question  to  the  other  cellphone 
makers.  “In  particular,  I  seek 
to  understand  why  companies 
that  can  develop  sophisticated 
handheld  electronics,  such  as 
the  products  manufactured 
by  Apple,  cannot  also  create 
technology  to  render  stolen 
devices  inoperable  and  thereby 
eliminate  the  expanding  black 
market  on  which  they  are  sold.” 
In  reaction  to  pressure  last  year, 
the  cellphone  industry  created 
databases  that  would  hold  the 
network  identification  numbers 
of  stolen  cellphones.  In  theory,  a 
stolen  cellphone  is  blocked  from 
being  used  on  any  U.S.  network, 
but  the  databases  are  not  yet 
universally  used  and  don’t  have 
good  international  coverage,  so 
a  stolen  phone,  even  one  that’s 
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blocked  in  the  U.S.,  could  be 
used  overseas.  In  New  York, 
11,447  cases  of  stolen  iPhones 
and  iPads  were  recorded  in  the 
first  nine  months  of  this  year,  a 
rise  of 3,280  over  the  previous 
year.  In  those  robberies,  at  least 
one  person  had  been  killed  for 
an  iPhone  and  others  have  been 
stabbed  or  violently  attacked. 
tinyurl.com/b  7z5vup 

VM  security 
practices  lacking 

WHILE  ORGANIZATIONS 

have  been  hot  to  virtualize  their 
machine  operations,  that  zeal 
apparently  hasn’t  been  trans¬ 
ferred  to  their  adoption  of  good 
security  practices.  Roughly 
42%  of 346  administrators 
surveyed  by  security  vendor 
BeyondTrust  said  they  don’t  use 
any  security  tools  regularly  as 
part  of  operating  their  virtual 
systems,  and  more  than  half 
(57%)  acknowledged  that  they 
used  existing  image  templates 
for  producing  new  virtual 
images.  In  addition,  64%  of  the 
respondents  revealed  that  their 
organizations  do  not  have  any 
controls  in  place  that  require  a 
security  sign-off  before  a  new 
image  or  template  is  released. 
tinyurl.com/aloftcg 

Spiceworks 
gets  free  MDM 
capabilities 

SPICEWORKS  PLANS  to  add 

Fiberlink’s  MaaS360  mobile 
device  management  functional¬ 
ity  to  the  next  version  of  its  free 
network  and  IT  management 
software.  The  ad-funded  Spice¬ 
works  software  is  today  used 
by  IT  staff  to  discover  what’s 
happening  in  their  network, 
including  whether  employees 
are  using  applications  such  as 


Dropbox  and  Evernote.  The 
integration  with  MaaS360 
will  add  the  ability  to  view  an 
inventory  breakdown  by  device 
type,  OS  and  carrier.  IT  staff  will 
also  be  able  to  track  what  mobile 
apps  their  users  are  installing, 
and  create  alerts  for  jailbroken 
devices,  disabled  passwords 
and  out-of-date  operating 
systems.  For  more  advanced 
management  functionality,  such 
as  wiping  a  device  or  resetting 
passwords,  Spiceworks  has 
negotiated  a  discounted  price 
for  MaaS360,  the  company  said. 
tinyurl.com/aanhexl 


Windows  Blue 
free  for  Windows 
8  customers 

MICROSOFT'S  WINDOWS  8 

update,  code-named  Windows 
Blue,  will  be  formally  released 
as  Windows  8.1  and  will  be  free 
for  customers  who  have  the 
new  OS  installed.  As  an  update, 
Windows  8.1  will  be  more 
substantial  than  the  regular 
patches  Microsoft  pushes  out 
for  the  OS,  but  will  not  represent 
a  dramatic  leap  like  the  upgrade 
from  Windows  7  to  Windows  8, 
said  Windows  division  co-chief 
Tami  Reller  last  week.  Earlier 
this  month,  the  other  Windows 
chief,  Julie  Larson-Green, 
conceded  that  Microsoft  has  dis¬ 
cussed  user  complaints  about 
the  removal  of  the  start  menu  on 
Windows  8  and  that  it  might  be 
useful  to  restore  it.  tinyurl.com/ 
b7befw5 


Carriers  unite  to  fight 
texting  while  driving 


THE  MAJOR  U.S.  mobile  operators  are  putting  their  weight 
behind  a  campaign  against  texting  while  driving  that  will 
include  a  blitz  of  advertising  and  a  driving  simulator  touring 
this  summer.  Verizon,  Sprint  Nextel  and  T-Mobile  USA  last 
week  joined  the  “It  Can  Wait"  campaign  that  AT&T  began 
in  2012.  On  May  20,  the  campaign  kicked  off  TV,  radio  and 
online  ads  warning  consumers  about  the  dangers.  Almost 
43%  of  high  school  students  of  driving  age  had  texted  while 
driving  in  the  past  month,  according  to  a  recent  survey  by 
the  Cohen  Children’s  Medical  Center  of  New  York. 

Data  centers  show  signs 
of  ‘green  fatigue’ 


A  SURVEY  from  the  Uptime  Institute  suggests  fatigue  is  set¬ 
ting  in  when  it  comes  to  making  data  centers  greener,  and  it 
may  be  partly  due  to  overachievers  like  Google  and  Micro¬ 
soft.  In  the  Institute’s  latest  survey  of  data  center  operators, 
only  half  of  respondents  in  North  America  said  they 
considered  energy  efficiency  to  be  very  important. 

That  was  down  from  52%  last  year  and  58%  in  2011. 

"A  lot  of  these  green  initiatives,  like  raising  server  inlet 
temperatures  and  installing  variable-speed  fans,  are 
seen  as  somewhat  risky,  and  they're  not  something  you 
do  unless  you  have  a  bunch  of  engineers  on  staff,"  said 
Matt  Stansberry,  Uptime  Institute’s  director  of  content  and 
publications. 


Syrian  Internet  ups  and  downs 

INTERNET  TRAFFIC  in  and  out  of  Syria  was  restored 
Thursday  after  a  disruption  of  nearly  eight  and  a  half  hours, 
according  to  Internet  traffic  charts.  Internet  service  also 
went  down  for  about  20  hours  May  7  and  8.  Authorities 
then  blamed  a  malfunctioning  optic  cable.  This  time,  they 
said  a  rebel  bombing  north  of  Damascus  cut  a  cable, 

Associated  Press  report.  Renesys  CTO 
n  a  tweet,  questioned  whether  the 
latest  outage  was  connected  to  the 
U.N.  debate.  Syrian  authorities  could 
order  the  shutdown  of  critical  switch¬ 
ing  facilities  to  disrupt  traffic,  he  said. 
A  malfunctioning  cable  could  also  be 
a  “plausible  explanation,"  although 
it  would  have  to  be  a  critical  location 
affected,  he  added. 
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What’s  next  for  Ethernet? 

400G  in  the  short-term;  longer-term,  expect  Petabit 


BYJIM  DUFFY 


INTERNET  TRAFFIC  will  quadruple  in 
five  years  and  the  number  of  mobile  Internet 
connections  will  exceed  the  world’s  popula¬ 
tion  by  2017,  according  to  Cisco  research. 

The  number  of  Internet 
users  will  be  a  quarter  bil¬ 
lion  greater  this  year  than  last 
and  almost  three  times  that  of 
2005,  according  to  the  ITU. 

Bandwidth  requirements 
in  data  centers  keep  rising  to 
accommodate  the  growth  in 
users  and  the  service  levels 
they  demand.  We’re  seeing 
it  now  with  the  progression 
from  10G  to  40G  to  100G 
Ethernet.  Soon,  Gigabit  Eth¬ 
ernet  will  go  the  way  of  Fast 
Ethernet. 

But  20  years  before  the  World  Wide  Web, 
Ethernet  speeds  were  increasing  by  an  order 
of  magnitude  just  about  every  10  years  or 
less:  10Mbps  in  1973-83  to  100Mbps  in  1993, 
1G  in  1998, 10G  in  2002  and  100G  in  2013. 

Does  that  mean  we’ll  see  Terabit  Ethernet 
in  2023?  We’re  already  on  the  way. 

The  IEEE  recently  launched  a  study  group 
to  explore  development  of  a  400Gbps  Ether¬ 
net  standard  to  support  booming  demand  for 
network  bandwidth. 

Networks  will  need  to  support  58%  com¬ 
pound  annual  growth  rates  in  bandwidth  on 
average,  the  IEEE  claims,  driven  by  simulta¬ 
neous  increases  in  users,  access  methodolo¬ 
gies,  access  rates  and  services  such  as  video 
on  demand  and  social  media.  Networks 
would  need  to  support  capacity  require¬ 
ments  of  1  terabit  per  second  in  2015  and  10 
terabit  per  second  by  2020  if  current  trends 
continue,  the  organization  says. 

So  even  though  100G  products  are  just 
starting  to  appear,  it’s  time  to  look  into 
400G,  says  John  D’Ambrosia,  chairman 
of  the  new  IEEE  802.3  400Gbps  Ethernet 
Study  Group  and  chief  Ethernet  evangelist, 
CTO  office,  at  Dell. 

“There’s  a  tsunami  in  terms  of  bandwidth,” 
D’Ambrosia  says.  “The  iPhone  didn’t  exist 
when  we  started  100G”  Ethernet. 

Increasingly,  video  is  making  up  more  and 
more  content  on  the  Internet.  And  more  and 
more  of  that  video  is  generated  from  mobile 
devices. 

Social  media  site  Facebook  is  now  sup¬ 
porting  billions  of  users  versus  the  tens  of 


Ethernet 

innovation 

summit 

May  22-23  in 
Mt.  View,  Calif. 
tinyurl.com/crwd8zh 


millions  it  had  when  100G  was  first  explored 
in  2006.  The  100G  standard  was  ratified 
in  2010.  Four  hundred  gigabit  Ethernet  is 
expected  to  follow  the  same  timeframe  and 
be  ratified  in  2017. 

So  in  2023-24  we  could  expect  to  see  Tex-a- 
bit  Ethernet  ratified  after  a 
study  group  begins  in  2019- 
20.  And  then  10T  Ethernet 
10  years  after  that;  the  100T; 
and  then  Petabit  Ethernet 
40  years  after  Ether¬ 
net’s  40th  anniver¬ 
sary,  and  60  years  after 
Gigabit  Ethernet. 

“By  2053,  you  will 
have  a  Titan  [supercom¬ 
puter]  in  your  living  room,” 
said  Huawei  Enterprise 
COO  Jane  Li  at  last  month’s 
Ethernet  Technology  Summit  conference  in 
Santa  Clara,  Calif.  Titan,  based  at  the  Oak 
Ridge  National  Laboratory  in  Tennessee,  is 
the  world’s  largest  supercomputer. 

Also  by  2053,  data  centers  will  be  run¬ 
ning  petabit-per-port  networks  and  wireless 
LANs  at  50Tbps,  Li  believes.  She  sees  10T 
Ethernet  ports  on  data  center  switches  and 
servers,  and  hundreds  of  gigabits  on  WLAN 
links  in  20  years. 

Video  and  big  data  will  drive  much  of  it,  Li 
says.  “People  want  more  and  more  the  experi¬ 
ence  of  being  there  by  not  being  there,”  Li  says 
of  video  and  virtual  presence  it  can  provide. 
“Facebook  only  represents  the  beginning  of 
big  data.” 

Switching  will  increasingly  be  done  on  the 
processor  itself,  and  clouds  will  become  a 
utility  grid,  Li  predicts.  And  then  a  new  gen¬ 
eration  of  sensors  will  usher  in  new  applica¬ 
tions  to  analyze  the  huge  volumes  of  data  they 
generate. 

But  then  the  real  kicker  is  when  we  net¬ 
work  ourselves. 

“Ethernet  technology  will  reach  another 
growth  spurt  when  humans  join  the  net¬ 
work,”  Li  says. 

The  BCI  —  brain-computer  interface  — 
could  be  embodied  with  a  chip  in  the  human 
brain  to  control,  for  example,  prosthetic 
limbs.  Information  gathered  and  retrieved 
by  this  chip  could  be  stored,  managed  and 
upgraded  through  the  cloud,  Li  says. 

And  with  100  billion  humans  on  Earth  in 
2050,  that  could  require  Petabit  Ethernet. 
Beyond  that,  we  could  have  a  brain-to-brain 
interface  in  2053,  she  says.  ■ 


Ethernet 

Did  you  know? 


Ethernet  was  inspired 
by  ALOHAnet,  which 
was  developed  at  the 
University  of  Hawaii  to  use 

low-cost  commercial  radio 
equipment  to  connect  Oahu 
and  the  other  Hawaiian 
islands  with  a  central  time¬ 
sharing  computer  on  the 
main  Oahu  campus. 


Ethernet  was  named 
after  luminiferous  ether,  a  19th-century 
theory  on  a  substance  believed  to  act  as  the 
medium  for  transmission  of  electromag¬ 
netic  waves.  The  theory  was  eventually 
disproven  by,  among  other  studies, 
Einstein's  theory  of  relativity. 

Early  in  its  development,  Ethernet 
was  referred  to  as  the  “DIX”  standard  for 
"Digital/Intel/Xerox.”  These  companies,  which 
worked  on  Ethernet  in  its  early  stages  in  Xerox 
PARC  in  California,  in  1980  proposed  a  10Mbps 
data  transmission  standard  with  48-bit 
destination  and  source  addresses  and  a  global 
16-bit  Ethertype  field  to  identify  the  frame  as 
belonging  to  a  particular  protocol  family. 

Ethernet,  Token  Ring  and  Token  Bus  were 
vying  to  become  a  single  IEEE  LAN  standard  in 
1980.  But  disagreement  among  the  competing 
proposals  -  the  “DIX”  Ethernet  specification, 
IBM’s  backing  of  Token  Ring  and  General 
Motors’  support  of  Token  Bus  -  led  the 
IEEE  to  split  the  802  LAN  standard  group 
into  three  subgroups  and  each  proposal 
proceeded  on  a  separate  standards  track. 

Digital  Equipment  Corp.  built  a  10,000-node 
corporate  network  based  on  its  Unibus-to- 
Ethernet  adapter  in  1986.  At  the  time,  it  was 

one  of  the  largest  computer 
networks  in  the  world.  3Com 
shipped  its  first  10Mbps  Ethernet 
transceiver  in  1981,  and  an  Ether¬ 
net  adapter  card  for  the  IBM  PC  was 
released  in  1982.  By  1985, 3Com  had 
sold  100,000  Ethernet  adapters. 

Ethernet  on  unshielded  twisted-pair 
cables  began  in  the  mid-1980s  at  1Mbps 
with  StarLAN.  AT&T  developed  Star- 
LAN,  which  uses  a  star  topology  instead 
of  a  bus  used  by  shared  media  Ethernet,  to 
reuse  existing  telephony  on-premises  wiring 
and  maintain  compatibility  with  analog  tele¬ 
phone  signals  in  the  same  cable  bundle. 
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It's  not  what  it  holds 
It's  what  it  sets  free. 


Introducing  ShoreTel  Dock 
for  iPad*  and  iPhone*. 


(■  ; 

With  iPads  and  iPhones  seamlessly  integrated  into  the  workday,  everybody's 

quicker  to  say,  "i  Can."  ShoreTel's  new  docking  station  charges  the  iPad  and 
iPhone,  swivels  from  portrait  to  landscape,  and  brings  together  Apple's  intuitive 
magic  with  ShoreTel's  brilliantly  simple  mobile  UC  application — creating  something 
altogether  more  powerful.  Call  it  supercharged  collaboration,  unleashed  via 
effortless  telephony,  instant  messaging  and  conferencing  anytime,  anywhere. 
See  what  your  people  can  do  when  they're  left  to  their  own  devices. 

Click  into  what's  new  at  shoretel.com/dockit 
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TREND  ANALYSIS 


Nick  Carr’s  IT  Doesn’t  Matter’  still  matters 

Ten  years  ago,  Carr’s  article  ignited  an  industry  firestorm 


BYANN  BEDNARZ 

TEN  YEARS  ago,  Nick  Carr  said 
IT  doesn’t  matter  —  sort  of. 

The  jarring  headline  of  Carr’s 
May  2003  article,  “IT  Doesn’t 
Matter,”  is  what  many  people 
remember,  and  it  tends  to  over¬ 
shadow  his  more  thought-pro¬ 
voking  thesis:  that  companies 
have  overestimated  the  strategic 
value  of  IT,  which  is  becoming 
ubiquitous  and  therefore  dimin¬ 
ishing  as  a  source  of  competitive 
differentiation. 


Carr  says. 

His  editor  agrees.  “He,  I,  and 
we  (all  of  us  at  HBR)  knew  that 
it  would  be  controversial,”  said 
Tom  Stewart,  former  editor  of 
Harvard  Business  Review,  in  an 
email  to  Network  World.  “We  also 
suspected  that  it  might  be  mis¬ 
interpreted  as  being  a  Luddite’s 
argument  for  typewriters  rather 
than  a  nuanced  argument  that 
IT  was  strategically  important 
not  for  itself  but  for  what  it 
enabled  one  to  do,  just  as  (using 
the  analogy  Nick  used)  electric- 


this  guy’s  onto  something,  and  I  want  to  be 
the  innovative  CIO,  I  want  to  be  the  CIO  who 
actually  uses  this  technology.’  Both  groups 
were  interested  in  trying  to  prove  Nick  Carr 
wrong,  but  for  different  reasons  and  in  differ¬ 
ent  ways.” 

“IT  Doesn’t  Matter”  turned  out  to  be  a 
career-defining  missive  for  Carr,  who  fol¬ 
lowed  it  up  with  multiple  books  (including 
2004’s  “Does  IT  Matter?”  and  2008’s  “The 
Big  Switch”)  speaking  engagements,  and 
another  ire-raising  essay  titled  “The  End  of 
Corporate  Computing.” 

Looking  back,  Carr  says  he  got  some  parts 
right  and  some  parts  wrong. 


«l  knew  I  was  writing  something  that  was  provocative 

and  that  went  against  the  grain  of  a  lot  of  the  rhetoric  that  was  out  there  about  information 
technology  and  business.  But  the  reaction  went  way  beyond  what  I  expected.  Nick  Carr 


“The  opportunities  for  gaining  IT-based 
advantages  are  already  dwindling,”  Carr 
wrote  in  the  Harvard  Business  Review  arti¬ 
cle.  “Best  practices  are  now  quickly  built  into 
software  or  otherwise  replicated.  And  as  for 
IT-spurred  industry  transformations,  most  of 
the  ones  that  are  going  to  happen  have  likely 
already  happened  or  are  in  the  process  of 
happening.” 

Carr  advocated  spending  less  on  IT,  both  to 
reduce  costs  and  to  decrease  the  risk  of  buy¬ 
ing  soon-to-be  obsolete  equipment  and  appli¬ 
cations.  He  also  predicted  the  rise  of  utility¬ 
like  computing:  “The  arrival  of  the  Internet 
has  accelerated  the  commoditization  of  IT 
by  providing  a  perfect  delivery  channel  for 
generic  applications.  More  and  more,  compa¬ 
nies  will  fulfill  their  IT  requirements  simply 
by  purchasing  fee-based  ‘Web  services’  from 
third  parties  —  similar  to  the  way  they  cur¬ 
rently  buy  electric  power  or  telecommunica¬ 
tions  services.” 

The  article  went  viral  as  it  was  passed 
around  the  office,  written  about  by  other  pub¬ 
lications  and  discussed  on  IT  news  forums 
such  as  Slashdot. 

Carr  spoke  with  Network  World  this  month 
about  his  inspiration  for  the  article,  the  back¬ 
lash,  and  the  article’s  unexpected  longevity. 
(Read  the  full  Q&A  at  tinyurl.com/co73wvz.) 

“I  knew  I  was  writing  something  that  was 
provocative  and  that  went  against  the  grain 
of  a  lot  of  the  rhetoric  that  was  out  there  about 
information  technology  and  business.  But  the 
reaction  went  way  beyond  what  I  expected,” 


ity  was  more  important  for  what  people  did 
with  it  than  for  the  fact  that  it  spawned  a  utili¬ 
ties  industry.” 

“Our  suspicion  proved  well-grounded: 
Nick  was  attacked  as  much  for  what  he  did 
not  say  as  for  what  he  said  —  maybe  more,” 
said  Stewart,  who  today  is  chief  marketing 
and  knowledge  officer  at  Booz  &  Company. 

IT  suppliers  were  the  most  upset,  Carr 
recalls,  because  he  essentially  was  telling 
corporate  leaders  to  ignore  vendor  hype  and 
to  stop  overspending  on  IT. 

“The  biggest  backlash  came  from  IT  com¬ 
panies.  Steve  Ballmer  called  it  hogwash, 
Carly  Fiorina  dissed  it.  All  the  vendors  were 
really  up  in  arms,”  Carr  says. 

In  the  trenches,  CIOs  and  IT  executives  had 
more  mixed  reactions.  “Some  of  them  really 
took  offense  at  the  article,  but  others  said, 
‘Yeah,  I  can  see  a  lot  of  sense  here.  This  is  kind 
of  where  we’re  heading,  this  is  what  I’m  try¬ 
ing  to  do,’”  Carr  says. 

Andi  Mann,  a  former  industry  analyst 
and  longtime  enterprise  technologist,  saw 
that  dichotomy  among  the  IT  executives  he 
worked  with.  Some  IT  pros,  threatened  by 
the  thought  of  losing  control,  wanted  to  prove 
Carr  wrong  to  their  CEOs  and  maintain  the 
status  quo.  Others  saw  Carr’s  essay  as  a  wake- 
up  call. 

“One  group  was  trying  to  maintain  their 
legacy  and  trying  to  stop  the  momentum 
of  change,  of  innovation,  of  enabling  rather 
than  controlling  the  business,”  Mann  says. 
“The  other  group  was  saying  to  me,  'I  think 


“Back  then,  IT  companies  tried  to  sell  the  lat¬ 
est  server  model  as  the  key  to  strategic  advan¬ 
tage  —  you  need  to  be  on  the  cutting-edge  of 
infrastructure  or  your  business  is  going  to  be 
overwhelmed  by  competitors.  At  that  level,  the 
idea  that  the  basic  technology  was  going  to  be 
neutralized  as  a  competitive  differentiator  has 
basically  panned  out,”  Carr  says. 

On  the  other  hand,  IT  pros  have  new  chal¬ 
lenges  to  address,  such  as  cloud  strategy, 
mobility  and  social  media.  “From  another 
point  of  view,  I  probably  understated  the  new 
things  that  IT  departments  would  have  to 
grapple  with.  I  don’t  think  I  expressed  the  full 
range  of  what  was  to  come,”  he  says. 

Industry  watchers  agree  —  to  varying 
degrees. 

“He  didn’t  look  into  the  future.  He  looked 
at  the  present  state  and  saw  a  lethargic,  slow, 
controlling,  almost  domineering  department 
of  IT,”  says  Mann,  who  today  is  vice  president 
of  strategic  solutions  at  CA.  “He  got  it  right:  IT 
needed  to  be  fundamentally  different.  But  he 
also  got  it  hideously  wrong." 

Suggesting  that  IT  doesn’t  matter,  that  it’s 
commoditized,  and  that  cloud  providers  can 
do  the  job  of  IT  fundamentally  underesti¬ 
mated  the  value  that  IT  brings  to  businesses, 
Mann  says.  “Nick  Carr  is  a  provocateur  and 
author  rather  than  a  technologist,  and  I  don’t 
think  he  understood  what  IT  does  when  it 
does  it  well.” 

More  on  the  same  page  as  Carr  was 
IDC  analyst  David  Tapper,  who  says  he 

►  See  Carr,  page  19 
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SERVER  DOWNTIME  ELIMINATED. 
I .T.  INNOVATION  ENHANCED. 

EQUIFAX  SEES  THE  POWER 
OF  WINDOWS  SERVER  2012. 

Businesses  and  financial  institutions  around  the  world  rely  on 
Equifax  for  fast  access  to  employment  data  in  over  220  million 
records.  So  eliminating  server  downtime  is  a  top  priority.  At 
the  same  time,  developing  new  products  is  how  the  business 
fuels  growth. 

To  streamline  server  cluster  updating,  Equifax  upgraded  to 
Windows  Server  2012.  By  eliminating  the  downtime  associated 
with  security  updates,  the  IT  team  can  spend  less  time  doing 
routine  maintenance,  and  more  time  focusing  on  innovative 
new  ideas. 

Read  more  about  Equifax's  success  and  see  what  you  can  do 
with  Windows  Server  2012. 

8*  Windows  Server  2012 

BUILT  FROM  THE  CLOUD  UP. 
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TREND  ANALYSIS 


Intel:  Keeping  up  with  Moore’s  Law  a  challenge 


BYAGAM  SHAH,  IDG  NEWS  SERVICE 

INTEL  WILL  advance  Moore’s  Law  for 
the  foreseeable  future,  but  keeping  up  with 
it  is  becoming  more  challenging  as  chip 
geometries  shrink,  according  to  a  company 
executive. 

Moore’s  Law  is  based  on  a  theory  that  the 
number  of  transistors  that  can  be  placed  on 
silicon  doubles  every  two  years,  which  brings 
more  features  on  chips  and  provides  speed 
boosts.  Using  Moore’s  Law  as  a  baseline, 
Intel  for  decades  has  added  more  transistors 
while  reducing  the  size  and  cost  of  a  chip.  The 
manufacturing  advances  help  make  smart¬ 
phones,  tablets  and  PCs  faster  and  more 
power  efficient. 

But  as  chips  get  smaller,  maintaining  pace 
with  Moore’s  Law  is  perhaps  more  difficult 
today  than  it  was  in  years  past,  said  William 
Holt,  executive  vice  president  and  general 
manager  of  Intel’s  Technology  Manufactur¬ 
ing  Group. 

“Are  we  closer  to  an  end  than  we  were  five 
years  ago?  Of  course.  But  are  we  to  the  point 
where  we  can  realistically  predict  that  end, 
we  don’t  think  so.  We  are  confident  that  we 
are  going  to  continue  to  provide  the  basic 
building  blocks  that  allow  improvements  in 
electronic  devices,”  Holt  said. 

The  end  of  the  industry’s  ability  to  scale 
chips  down  in  size  has  “been  a  topic  on  every¬ 
body’s  mind  for  decades,”  Holt  said,  but  dis¬ 
missed  arguments  by  observers  and  industry 
executives  that  Moore’s  Law  was  dead.  Some 
predictions  about  the  law  were  short-sighted, 
and  the  paradigm  will  continue  to  apply  as 
Intel  scales  down  chip  sizes,  Holt  said. 

“I’m  not  here  to  tell  you  that  I  know  what’s 
going  to  happen  10  years  from  now.  This  is 
much  too  complicated  a  space.  At  least  for  the 
next  few  generations  we  are  confident  we  don’t 
see  the  end  coming,”  Holt  said,  talking  about 
generations  of  manufacturing  processes. 

Moore’s  Law  was  first  established  in  1965 
by  Gordon  Moore,  who  co-founded  Intel  in 
1968  and  ultimately  became  CEO  in  1975.  The 
original  paper  on  the  law,  published  in  Elec¬ 
tronics  magazine  in  1965,  focused  on  the  eco¬ 
nomics  related  to  cost-per-transistor,  which 
would  come  down  with  scaling. 

“The  fact  that  now  as  we  look  at  the  future, 
the  economics  of  Moore’s  Law . . .  are  under 
considerable  stress  is  probably  appropriate 
because  that  is  fundamentally  what  you  are 
delivering.  You  are  delivering  a  cost  benefit 
each  generation,”  Holt  said. 

But  Holt  said  that  manufacturing  smaller 
chips  with  more  features  becomes  a  challenge 
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as  chips  could  be  more  sensitive  to  a 
“wider  class  of  defects.”  The  sensitivities  and 
minor  variations  increase,  and  a  lot  of  atten¬ 
tion  to  detail  is  required. 

“As  we  make  things  smaller,  the  effort  that 
it  takes  to  make  them  actually  work  is  increas¬ 
ingly  difficult,”  Holt  said.  “There  are  just  more 
steps  and  each  one  of  those  steps  needs  addi¬ 
tional  effort  to  optimize.” 

To  compensate  for  the  challenges  in  scaling, 
Intel  has  relied  on  new  tools  and  innovations. 

“What  has  become  the  solution  to  this  is 
innovation.  Not  just  simple  scaling  as  it  was 
the  first  20  years  or  so,  but  each  time  now 
you  go  through  a  new  generation,  you  have 
to  do  something  or  add  something  to  enable 
that  scaling  or  that  improvement  to  go  on,” 
Holt  said. 

Intel  has  the  most  advanced  manufacturing 
technology  in  the  industry  today,  and  was  the 
first  to  implement  many  new  factories.  Intel 
added  strained  silicon  on  the  90-nanometer 
and  65-nanometer  processes,  which  improved 
transistor  performance,  and  then  added  gate- 
oxide  material  —  also  called  high-k  metal  gate 
—  on  the  45-nm  and  32-nm  processes. 

Intel  changed  transistor  structure  into 
3D  form  on  the  22-nm  process  to  continue 
shrinking  chips.  The  latest  22-nm  chips  have 
transistors  placed  on  top  of  each  other,  giving 


it  a  3D  design,  rather  than  next  to  each  other, 
which  was  the  case  in  previous  manufactur¬ 
ing  technologies. 

Intel  in  the  past  has  made  chips  for  itself, 
but  in  the  last  two  years  has  opened  up  its 
manufacturing  facilities  to  make  chips  on 
a  limited  basis  for  companies  like  Altera, 
Achronix,  Tabula  and  Netronome.  Last  week 
Intel  appointed  former  manufacturing  chief 
Brian  Krzanich  to  CEO,  sending  a  signal  that 
it  may  try  to  monetize  its  factories  by  taking 
on  larger  chip-making  contracts.  Apple’s 
name  has  been  floated  around  as  one  of  Intel’s 
possible  customers. 

For  Intel,  the  advances  in  manu¬ 
facturing  also  correlate  to  the 
company’s  market  needs. 

With  the  PC  market  weak¬ 
ening,  Intel  has  made  the 
release  of  power-efficient 
Atom  chips  for  tablets 
and  smartphones  based 
on  the  newest  manu¬ 
facturing  technologies  a 
priority.  Intel  is  expected 
to  start  shipping  Atom 
chips  made  using  the  22-nm 
process  later  this  year,  fol¬ 
lowed  up  by  chips  made  using  the 
14-nm  process  next  year. 

Intel  recently  said  upcoming  22-nanome- 
ter  Atom  chips  based  on  a  new  architecture 
called  Silvermont  will  be  up  to  three  times 
faster  and  five  times  more  power-efficient 
than  predecessors  made  using  the  older 
32-nm  process.  The  Atom  chips  include  Bay 
Trail,  which  will  be  used  in  tablets  later  this 
year;  Avoton  for  servers;  and  Merrifield,  due 
next  year,  for  smartphones.  Intel  is  trying  to 
catch  up  with  ARM,  whose  processors  are 
used  in  most  smartphones  and  tablets. 

Sometimes,  not  making  immediate 
changes  is  a  good  idea,  Holt  said,  pointing  to 
Intel’s  1999  transition  to  the  copper  intercon¬ 
nect  on  the  180-nm  process.  Intel  was  a  late 
mover  to  copper,  which  he  said  was  the  right 
decision  at  the  time. 

“That  equipment  set  wasn’t  mature 
enough.  People  that  moved  [early]  struggled 
mightily,”  Holt  said,  adding  that  Intel  also 
made  a  late  move  to  immersion  lithography, 
which  saved  the  company  millions  of  U.S. 
dollars. 

The  next  big  move  for  chip  manufacturers 
is  to  450-mm  wafers,  which  will  allow  more 
chips  to  be  made  in  factories  at  less  cost.  Intel 
in  July  last  year  invested  $2.1  billion  in  ASML, 
a  tools  maker,  to  enable  smaller  chip  circuits 
and  larger  wafers.  ■ 
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BY  JULIE  SARTAIN 

It’s  been  four  years  since  Oracle  announced  that  it  had  reached  an 
agreement  to  buy  Sun  Microsystems.  While  Oracle  has  kept  Sun’s 
technology,  Sun’s  key  executives  have  scattered  to  the  wind. 

So,  we  decided  to  track  down  _ 

Sun's  stars  and  find  out  what  P" 
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Manage  your  HD  surveillance  footage  without  slowing  down  your  network. 
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network  performance.  See  how  Avigilon  delivers  superior  image  detail 
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Mobile  devices:  Too  much  of  a  good  thing? 

If  you  own  five  or  more  mobile  devices,  you  may  be  suffering  from  device  overload 


BY  MARY  BRANDEL 

MOST  OF  us  have  apparently  decided  we 
can’t  live  without  our  favorite  mobile  device. 
Whether  on  public  transportation,  shopping 
or  just  walking  down  the  street,  you’re  more 
likely  than  not  to  be  surrounded  by  people 
swiping  screens,  adjusting  their  earbuds  or 
typing  on  a  virtual  screen. 

But  while  a  mobile  device  is  increasingly 
seen  as  a  must-have,  what  happens  when 
one  increases  to  two,  three  or  more?  After  all, 
the  number  of  mobile  devices  owned  by  the 
average  U.S.  subscriber  today  is  1.57,  accord¬ 
ing  to  Wireless  Intelligence,  the  research  arm 
of  the  GSM  Association,  and  1.85  in  the  rest 
of  the  world.  By  the  end  of  2013,  there  will 
be  more  Internet-connected  mobile  devices 
than  people,  according  to  Cisco’s  Visual  Net¬ 
working  Index. 

According  to  Google,  90%  of  us  juggle 
four  screens  in  a  day  (smartphone,  PC,  tablet, 
TV),  often  starting  a  task  on  one  device  and 
completing  it  on  another  (called  “sequential 
screening”)  or  using  multiple  devices  at  the 
same  time  (“simultaneous  screening”).  Nine 
out  of  10  people  are  sequential  screeners, 
according  to  Google,  while  77%  watch  TV 
with  another  device  in  hand. 

It’s  only  natural,  then,  to  ask:  Is  there 
such  a  thing  as  too  many  mobile  devices?  In 
today’s  world  of  “too  much  information,”  per¬ 
haps  there  is  a  companion  trend:  hardware 
overload. 

Streamlining  devices 

David  Collins,  IT  infrastructure  manager 
at  Residential  Finance,  a  national  mortgage 
lender  in  Columbus,  Ohio,  is  consciously  win¬ 
nowing  down  his  current  count  of  five  devices 
to  just  two.  His  list  includes  an  Android-based 
smartphone,  a  Windows-based  netbook,  an 
Android-based  tablet  and  two  laptops,  one  for 
work  and  another  for  personal  use.  Addition¬ 
ally,  he  is  evaluating  two  Windows-based  tab¬ 
lets  for  his  company’s  use. 

The  personal  laptop,  he  says,  will  likely 
be  the  first  to  go.  “It’s  still  viable,  but  because 
I’m  device-heavy,  I  want  to  streamline  down 
to  what  I  really  need  and  want.”  And  maybe, 
he  says,  he  could  live  without  the  netbook, 
which  —  at  least  before  he  acquired  the  tablet 
and  work  laptop  —  he  used  for  work  meetings 
and  personal  activities,  like  co-directing  a 
vocal  group.  “I  could  do  attendance  and  have 
PDFs  of  our  music  —  it  was  easier  on  the  net- 
book  than  the  smartphone,”  he  says. 


But  with  its  larger  screen,  significantly 
higher  processing  power  and  remote  access 
tools,  the  tablet  is  preferable,  he  says.  He  can 
store  not  just  his  music  PDFs  but  also  his 
recorded  accompaniment  tracks,  and  he  can 
also  access  his  desktop  remotely.  The  one 
remaining  advantage  of  the  netbook  is  its 
Windows  functionality.  “While  I  can  remote 
in  from  the  Android  tablet,  sometimes  it’s 
nice  to  work  natively  in  the  Windows  OS 
using  the  remote  desktop,”  he  says. 

Of  course,  with  his  recently  acquired  work 
laptop  —  a  15-inch  Ultrabook  that  is  sturdier, 
more  powerful  and  lighter  than  the  3-year-old 
netbook  —  he’s  now  able  to  do  just  that.  “Any¬ 
where  I  go  now,  it’s  a  tossup  between  [the  net- 
book],  the  tablet  or  my  work  laptop,”  he  says. 
Because  his  office  encourages  employees 
to  keep  their  data  and  applications  on  their 
desktops  and  remotely  access  their  PCs  via  a 
secure  VPN,  Collins  can  use  any  of  his  devices 
to  do  that,  in  addition  to  using  Evernote  and 
other  cloud  technologies  to  synch  files.  "As 
long  as  I’ve  got  an  Internet  connection,  I  can 
get  what  I  need,”  he  says. 

Meanwhile,  like  most  people,  Collins 
is  rarely  without  his  smartphone,  using 
Exchange  ActiveSync  for  email,  contact  and 
calendar  synchronization.  While  he  prefers 
remote  access  through  the  laptop,  he  could 
scrape  by  with  just  the  phone  or  tablet.  “If  I 
had  to  go  to  the  data  center  in  the  middle  of  the 
night  and  forgot  my  laptop,  I  could  still  access 
everything  I  needed  through  my  phone,  or  if 
I  forgot  my  phone,  I  could  use  the  laptop,”  he 
says.  “I  would  prefer  not  to  do  without  one  or 


the  other,  but  I  try  to  be  sure  all  three  are  in 
synch.” 

Collins  also  meets  Google’s  definition  of 
a  “simultaneous  screener,”  preferring  to 
keep  his  business  communications  on  the 
Ultrabook  or  PC  while  at  work,  while  texting 
his  wife  on  his  smartphone  and  monitoring 
his  personal  Gmail  account  on  his  tablet. 

While  Collins  enjoys  the  flexibility  of  his 
multiple  mobile  devices,  “it  gets  old  at  times,” 
he  says.  By  September,  with  a  baby  due,  he 
would  like  to  streamline  to  two  primary 
devices:  the  mobile  phone  and  Ultrabook.  “I’ll 
have  plenty  of  things  to  carry  around  with  an 
infant,”  he  says. 

Breaking  free 

Meanwhile,  with  a  tablet  and  two  smart¬ 
phones  —  one  for  business  and  one  for  per¬ 
sonal  use  —  Samuel  Satyanathan,  technology 
leader/architect  at  Ericsson,  also  strives  to 
free  himself  from  too  many  mobile  devices. 
A1  though  he  uses  email,  iCloud  and  the  Apple 
ID  to  keep  the  devices  synched  and  integrated, 
he  also  finds  himself  forwarding  his  personal 
calls  to  the  work  phone  to  avoid  having  to  carry 
both.  He  uses  the  tablet  mainly  for  watching 
videos  and  reading,  but  because  it  houses 
similar  apps  to  the  phone,  there  is  overlap¬ 
ping  functionality  there,  as  well.  “Maybe  one 
of  these  days,  I  could  control  everything  on 
my  phone,”  he  says,  noting  that  already,  he 
can  control  his  TV  and  Blu-ray  player  from  his 
phone  through  remote  control  apps. 

Satyanathan  is  generally  happy  with  how 
well  he  can  integrate  the  devices;  for  instance, 
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he  can  be  reached  on  any  device  by  anyone 
contacting  him  through  FaceTime  or  iMes- 
sage.  He  is  less  happy  with  variable  mobile 
app  functionality,  depending  on  which  device 
he  uses.  An  example  is  the  TripCase  app, 
which  he  recently  used  for  an  international 
trip.  “The  trip  wasn’t  imported  accurately 
to  the  app,”  he  explains.  “I  tried  to  correct  it 
through  their  app,  but  it  couldn’t  be  done.”  He 
also  tried  using  his  phone’s  browser  to  fix  it 
on  the  website,  but  the  site  gave  him  no  option 
to  go  to  the  full  browser  page.  Ultimately,  he 
had  to  track  down  a  PC  to  log  on  to  the  web¬ 
site,  he  says. 

An  infinite  variety 

Decreasing  your  mobile  device  count  may  be 
hampered  by  the  countless  varieties  arriv¬ 
ing  on  the  market,  from  tablets  that  seem  like 
laptops  (sporting  full  Windows  8  operating 
system  capabilities  and  fold-back  keyboards) 
to  phones  that  seem  like  tablets  (with  large 
screens  and  lots  of  storage).  While  these 
hybrids  may  be  intended  to  consolidate  func¬ 
tionality,  it’s  likely  that  people  —  especially 
gadget-loving  people  —  may  own  a  few  types 
on  their  way  to  deciding  which  one  (or  two) 
they  won’t  leave  the  house  without. 

That’s  the  case  for  Doug  Ross,  CTO  at 
Western  &  Southern,  who  counts  seven  or 
eight  devices  to  his  name,  including  tablets, 
a  laptop,  several  e-readers  and  his  primary 
smartphone.  Unintentionally,  Ross  has 
begun  to  streamline  the  number  of  devices 
he  uses.  While  he  has  an  iPad,  the  virtual 
keyboard  does  not  accommodate  his  heavy 
content  creation  needs.  “I  see  a  lot  of  people 
in  meetings  using  iPads  with  a  detachable 
keyboard,  but  I’m  not  at  a  place  where  I’d  be 
able  to  use  it  effectively  as  a  surrogate  for  a 
laptop,”  he  says. 

Ross  uses  one  smartphone,  a  Droid  Razr, 
as  his  company  uses  mobile  management 
software  from  Good  Technology  to  segre¬ 
gate  personal  and  business  data.  And  after 
installing  Kindle  software  on  his  Droid 
Razr,  “I’m  finding  myself  reading  books  off 
my  phone,”  he  says,  which  is  increasingly 
negating  the  need  for  an  e-reader,  especially 
because  the  phone  allows  him  to  simultane¬ 
ously  keep  up  with  Twitter  and  email.  It’s 
little  wonder,  then,  that  Ross  has  found  him¬ 
self  eyeing  the  Galaxy  Note,  which  is  smaller 
than  the  iPad  Mini  but  larger  than  a  phone 
and  includes  a  stylus  for  note-taking.  “It’s 
primarily  a  phone,  but  it  blends  the  capabili¬ 
ties  of  a  tablet  into  something  that  can  serve 
as  both,”  he  says. 

At  this  point,  though,  he  finds  himself 
using  both  his  smartphone  and  tablet  at  the 


same  time,  especially  when  watching  base¬ 
ball  on  TV.  “I  might  be  looking  up  someone’s 
career  stats  on  the  iPad,  while  my  smart¬ 
phone  is  set  on  my  Twitter  feed,  reading  what 
people  are  tweeting  on  the  Reds,”  he  says. 

And  then,  there’s  Google  Glass.  Ross  is 
eagerly  anticipating  delivery  of  Google’s  new 
wearable  technology,  having  recently  been 
chosen  to  receive  an  early  version  of  the  device, 
after  submitting  an  idea  for  how  he  would  use 
it.  “Wouldn’t  it  be  cool  to  be  walking  around 
or  waiting  in  the  doctor’s  office,  reading  your 
Twitter  stream?”  Ross  says.  Instead  of  pulling 
out  your  mobile  device,  “it  becomes  a  seamless 
part  of  your  life,”  he  says.  “There  seems  to  be  a 
natural  progression  of  devices  becoming  more 
integrally  bound  to  humans.” 

When  you  consider  these  types  of 


►  Carr,  from  page  10 

fundamentally  agreed  with  Carr’s  article. 

“He  got  people  to  start  to  think  about  it, 
to  say,  ‘Let’s  step  back  from  what  we  do  and 
ask:  Where  is  this  all  going,  folks?’  He  was 
right,  he  needed  to  modify  it  a  little  bit,  but 
he  struck  the  right  chords,”  Tapper  says. 

To  Tapper,  one  distinction  Carr  should 
have  made  is  to  specify  who  will  care  about 
IT  in  the  future:  “He  should  have  said,  ‘To 
whom  should  IT  matter?’  Because  it  won’t 
matter  to  the  consumer,  it  will  matter  to 
the  suppliers  and  the  service  providers,” 
Tapper  says.  “The  service  providers  are 
the  ones  that  are  going  to  buy  all  this  stuff, 
they’re  going  to  integrate  it  and  operate  it.” 
To  everyone  else,  technology  is  just  a  tool 
to  do  their  jobs,  something  that’s  taken  for 
granted,  according  to  Tapper.  “Do  I  wake 
up  in  the  morning  thinking  about  my  tele¬ 
phone  or  the  boiler  in  my  house?  No.  Only 
when  there’s  a  problem.  Otherwise  I  never 
give  it  a  second  thought.” 

Tapper  agreed  with  Carr’s  prediction 
that  IT  would  move  to  a  utility  model.  “Once 
the  masses  of  the  world  need  something, 
it  always  becomes  a  utility.  There  are  no 
exceptions,”  Tapper  says.  “It’s  the  only  way 
you  can  deliver  it.  And  technology  is  now 
something  we  can’t  live  without.” 

Ten  years  after  the  HBR  article,  compa¬ 
nies  still  have  a  long  way  to  go  on  the  path  to 
cloud  computing. 

“If  you  look  at  IT,  the  bulk  of  investment 
these  days,  certainly  on  the  vendor  side,  is 
on  cloud  systems  and  applications,”  Carr 
says.  “On  the  other  hand,  if  you  look  at 


developments,  it’s  difficult  to  predict 
whether  we’ll  see  people  carrying  more  or 
fewer  mobile  devices  in  their  daily  lives. 
What’s  clear  is  the  growing  dependence  on 
constant  connection  with  at  least  one  device. 
“It  used  to  be  that  on  a  plane,  you  knew  you’d 
be  incommunicado,”  Ross  says.  Now,  with 
Wi-Fi,  there  aren’t  too  many  places  where 
connectivity  isn’t  possible.  “A  flight  from 
Columbus  to  Charlotte,  gate  to  gate,  is  an 
hour,”  he  says,  “and  you’re  in  the  air  maybe 
45  minutes.  They  charge  $5  for  an  Internet 
connection,  and  I  can’t  tell  you  how  many 
devices  open  up.  No  one  wants  to  be  discon¬ 
nected,  even  for  that  45  minutes.”  ■ 

Brandel  is  a  freelance  writer.  She  can  be 
reached  at  marybrandel@verizon.net. 


corporate  spending,  cloud  is  still  a  fairly 
small  percentage  of  overall  spending,  even 
though  it’s  growing  quickly.  So  we’re  still 
kind  of  between  two  eras.” 

Tapper  agrees.  “Companies  are  in  the 
stages  of  restructuring  their  IT  depart¬ 
ments  and  trying  to  form  them  around 
cloud  categories,  such  as  platform  as  a  ser¬ 
vice.  They’re  outsourcing  or  procuring  dif¬ 
ferent  clouds.  They’re  trying  to  get  it  under 
control.  It’s  a  bit  out  of  control  now  —  one 
company  had  30  Amazon  contracts  and 
didn’t  know  about  them.” 

Back  when  “IT  Doesn’t  Matter”  was  pub¬ 
lished,  the  idea  of  utility-like  computing 
was  relatively  new  in  the  trenches  of  enter¬ 
prise  IT.  But  Mann  saw  some  IT  leaders 
accept  the  implicit  challenge  and  begin  lay¬ 
ing  the  groundwork  for  cloud  computing 
because  of  Carr’s  article. 

“There  were  a  couple  of  organizations 
that  specifically  started  talking  to  me 
about  virtualizing  everything,  automating 
everything,  implementing  chargebacks 
and  things  like  that.  That  was  the  start  of 
a  number  of  my  clients’  journeys  to  the 
cloud,”  Mann  says. 

The  fact  that  it’s  still  being  talked  about 
suggests  Carr  made  some  valid  points. 

“If  Nick  had  just  merely  [been]  a  provo- 
cateur/bomb-thrower/iconoclast  —  i.e.,  had 
he  been  wrong  —  then  the  article  would 
have  been  a  9  days’  wonder,  not  something 
you’d  like  to  write  about  on  its  10th  anniver¬ 
sary,”  Stewart  said. 

At  the  very  least,  the  article  left  a  lasting 
impression.  “It’s  still  a  bit  of  a  raw  nerve  for 
a  lot  of  people,”  Mann  says.  ■ 
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Clarifying  the  role  of  SDN  APIs 


With  software-defined 

networking  the  control  of 

the  network  is  pried  out  of  the 
data  handling  devices  and 
centralized  on  a  controller 
that  uses  a  common  proto¬ 
col,  OpenFlow,  to  direct  the 
switches  on  the  southbound  side.  That  much  has 
been  established.  But  what  of  the  oft-mentioned  Robert  Sherwood 

northbound  APIs  that  will  let  applications  tell  the 
controller  what  they  need  from  the  network?  What 
kind  of  progress  is  the  Open  Networking  Foundation  making  on  that 
front?  Network  World  Editor  in  Chief  John  Dix  put  the  question  to  Robert 
Sherwood,  CTO  of  Big  Switch  Networks  and  head  of  the  ONF’s  Architec¬ 
ture  and  Framework  Working  Group,  which  is  responsible  for  multiple 
things,  including  the  creation  of  these  northbound  APIs. 


Rob,  let’s  start  by  getting  an  J 
explanation  of  your  role  in  the 
Open  Networking  Foundation. 

I  am  the  chair  of  the  Architecture  and  Frame¬ 
work  Working  Group,  which  is  charged 
with  many  things,  including  scoping  out  the 
northbound  APIs,  but  includes  coming  up 
with  a  general  architecture  and  overview  for 
everything  that  the  ONF  is  looking  at.  You 
can  almost  think  of  it  as  a  working  group 
to  decide  the  context  for  the  other  working 
groups.  We’re  also  charged  with  coming  up 
with  names,  so  at  least  we  can  agree  on  what 
we  disagree  about,  which  is  my  standing  joke. 

How  complete  is  ONF’s 
work  at  this  point? 

Let  me  split  that  conversation  in  terms  of 
what  gets  standardized  and  what’s  actually 
deployed  and  mature.  In  terms  of  what  gets 
standardized,  I  would  tell  you  we’re  making 
good  progress.  No  one  thinks  that  we’re  done. 
I  think  of  it  as,  there  may  not  be  a  done  state, 
but  enough  things  are  standardized  to  hit  a 
useful  set  of  commercial  features  that  can 
turn  around  and  be  productized  by  people 
like  myself  with  my  vendor  hat  on.  At  the  same 
time,  as  you  collect  more  interest,  you  have 
more  use  cases  that  come  up  and  more  places 
where  you  want  this  to  go.  So  in  that  sense, 
there’s  a  fair  bit  of  work  ahead  of  us.  But  on  the 
other  hand,  that’s  strictly  in  terms  of  standard¬ 
ization.  There  are  also  lessons  learned  from 
implementation,  and  from  that  perspective, 
we  still  have  some  ways  to  go  as  well. 


Work  seems  to  be  furthest  along 
with  the  so-called  southbound  APIs, 
with  OpenFlow  being  the  primary 
protocol  that  SDN  controllers  will  use 
to  talk  to  data  handling  devices.  The 
northbound  APIs  are  always  referred 
to  in  more  vague,  futuristic  terms. 

Explain  the  role  they  will  play. 

A  lot  of  people  are  confused  about  this  and  it 
is  one  of  the  things  I  am  trying  to  solve  in  my 
working  group.  Take  what  I  call,  for  lack  of 
a  better  term,  a  business  application,  some¬ 
thing  like  Hadoop,  or  something  like  an  Ora¬ 
cle  server,  or  even  something  like  OpenStack’s 
Nova.  These  are  applications  people  want  to 
run  and  the  fact  that  there’s  a  dependency  on 
the  network  is  almost  an  annoyance  for  them. 
They  just  want  the  application  to  work. 

So  the  northbound  API  is  how  that  busi¬ 
ness  application  talks  to  the  controller  to 
explicitly  describe  its  requirements:  I  am 
OpenStack.  I  want  this  VM  field  to  talk  to  this 
other  VM  but  no  other  VMs  can  talk  to  them, 
etc.  But  also  give  me  a  view  of  how  loaded  the 
network  is  so  I  can  make  an  informed  deci¬ 
sion  on  where  to  put  new  VMs.  So  those  are 
two  examples  of  northbound  APIs  that  are 
meaningful  for  people. 

Without  northbound  APIs  will 
SDN  applications  be  constrained 
vendor-specific  controllers? 

Look  at  the  operating  system  world.  There 
is  not  an  API  that  is  standard  for  application 
developers  across  Mac  OS,  Windows  and 


Linux.  It  just  doesn’t  exist.  But  that’s  been  a 
fairly  healthy  ecosystem.  Similarly,  if  you 
look  at  cellphones,  there’s  not  a  comparable 
northbound  API  across  iOS,  Android,  Sym¬ 
bian,  etc.  But  again,  that’s  a  fairly  healthy 
ecosystem.  The  critical  thing  is,  as  long  as  the 
API  is  open  it  doesn’t  matter  as  much  if  it’s 
standardized.  Yes,  eventually,  these  things 
might  become  de  facto  standards,  but  that’s 
many  moons  from  now. 

But  if  all  the  controller  vendors 
come  out  with  non-standard 
northbound  APIs  it’s  going  to  make 
it  harder  on  the  buyer,  won’t  it? 

My  mindset  is  the  buyers  are  actually  buying 
business  applications,  and  it’s  really  about 
what  supports  what.  For  example,  it  is  a  real¬ 
ity  that  the  people  who  write  Angry  Birds 
have  to  write  different  implementations,  one 
for  Android  and  one  for  iPhone.  But  as  long 
as  the  application  you  want  is  available  on  the 
platform  you  want  it  to  work  on,  that  kind  of 
doesn’t  matter  for  the  buyer.  You  just  want  the 
application  to  work. 

Is  it  technically  hard  to  create 
these  northbound  APIs  or  is  it  just  a 
byproduct  of  the  way  the  technology 
is  emerging,  with  the  early  focus  on 
the  southbound  side  while  biding 
your  time  on  the  northbound  stuff? 

It’s  both.  Think  of  the  work  required  to  get 
Unix  to  a  position  where  people  could  even 
think  about  standardizing  the  APIs  that 
became  POSIX.  A  lot  of  learning  had  to  be 
done,  and  people  are  still  arguing  about  it. 
With  my  working  group  hat  on  I  tell  people 
we  should  build  a  bunch  of  examples,  figure 
out  what  we  got  wrong,  try  to  fix  it,  iterate  it, 
and,  assuming  we  actually  reach  some  sort 
of  stable  point,  then  try  to  standardize  that. 
Right  now  everyone  and  their  grandmother 
has  a  controller,  and  what  that  means  is 
that  everyone  and  their  grandmother  has  a 
northbound  API.  And  while  I’ll  be  the  first 
to  tell  you  I  think  mine  is  best,  at  this  point 
nobody  really  knows. 

Does  every  controller  supplier  have 
one  northbound  API,  or  will  they 
have  multiple  types  of  APIs  for 
different  types  of  functionality? 

It’s  a  little  bit  of  semantics.  People  talk  about 

►  See  SDN, page  24 
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H-1B  debate  pits  tech  firms  vs.  IT  workers 


BYGRAN T GROSS,  IDG  NEWS  SERVICE 

MANY  U.S.  tech  companies  are  pushing 
hard  this  year  for  an  increase  in  the  number 
of  high-skill  immigrants  allowed  into  the 
country,  but  many  veteran  IT  workers  ques¬ 
tion  their  motives  for  wanting  to  increase  the 
number  of  visas  under  the  controversial  H-1B 
program. 

Microsoft,  IBM  and  recently  Facebook  are 
among  the  large  tech  companies  that  have 
called  for  an  annual  increase  in  H-1B  visas  for 
high-skill  workers,  arguing  they 
can’t  find  qualified  tech  workers  in 
the  U.S.  to  fill  all  their  open  posi¬ 
tions.  Reports  from  those  compa¬ 
nies  —  and  others  — of  thousands 
of  unfilled  tech  jobs  in  the  U.S. 
seem  to  support  their  argument. 

Eight  U.S.  senators  are  push¬ 
ing  for  an  increase  from  the 
65,000-person  cap  on  H-1B  visas  to 
as  much  as  300,000  workers.  But 
critics  say  the  skilled  worker  visa 
program  undercuts  U.S.  wages  and 
is  filled  with  abuse. 

Many  tech  companies  arguing 
for  higher  H-1B  caps  also  say  the 
U.S.  should  be  encouraging  the 
world’s  top  IT  talent  to  come  to  the 
U.S.  “Why  do  we  offer  so  few  H-1B 
visas  for  talented  specialists  that 
the  supply  runs  out  within  days 
of  becoming  available  each  year, 
even  though  we  know  each  of 
these  jobs  will  create  two  or  three 
more  American  jobs  in  return?” 

Facebook  CEO  Mark  Zuckerberg 
wrote.  “Why  don’t  we  let  entrepre¬ 
neurs  move  here  even  when  they 
have  what  it  takes  to  start  new 
companies  that  will  create  even 
more  jobs?” 

Many  lawmakers  prefer  to  deal  with 
skilled  immigration  issues  at  the  same  time 
as  they  deal  with  the  contentious  larger 
debate  on  illegal  immigration.  But  this 
month,  Senate  Judiciary  Committee  Chair¬ 
man  Patrick  Leahy,  a  Vermont  Democrat, 
said  immigration  reform  will  be  a  priority 
in  the  coming  months. 

Developers  in  demand 

Many  U.S.  tech  companies  say  an  increase  in 
the  cap  is  needed. 

Modus  Operandi,  a  semantic  search  soft¬ 
ware  vendor  in  Melbourne,  Fla.,  has  had  “a 
hell  of  a  time  trying  to  fill  these  positions,”  says 
Rick  McNeight,  the  company’s  president. 


The  80-person  company  has  six  open  posi¬ 
tions,  three  for  Java  programmers,  with  those 
positions  open  for  months,  McNeight  says. 

Data  from  Dice,  the  tech  job  board,  Career- 
Builder  and  staffing  agency  Kelly  Services 
show  thousands  of  open  IT  jobs  across  the 
U.S.,  with  significant  openings  in  application 
development,  including  mobile  apps  and 
HTML  5,  IT  infrastructure  support,  and  for 
IT  project  managers.  Java  and  .Net  developers 
are  in  high  demand,  says  Melisa  Bockrath,  vice 
president  of  Kelly  Services. 


CareerBuilder,  the  online  job-search  por¬ 
tal,  had  more  than  290,000  job  listings  for 
application  developers  between  December 
and  February,  and  just  over  20,000  candi¬ 
dates  in  related  fields.  AT&T  and  IBM  each 
had  more  than  3,400  app  developer  job  post¬ 
ings  during  that  three-month  period;  Micro¬ 
soft  and  Computer  Sciences  each  had  more 
than  1,250. 

CareerBuilder  listed  more  than  30,000  IT 
project  management  jobs  during  the  same 
time  period.  There  were  about  5,500  job  seek¬ 
ers  in  that  area.  But  only  l5%of  the  candidates 
in  the  app  developing  field,  and  11%  in  IT  proj¬ 
ect  management,  said  they  were  willing  to 
relocate  for  a  job. 


The  picture  is  more  complicated  than  the 
stats  suggest.  Many  veteran  IT  workers,  some 
with  close  to  20  years  of  experience,  say  many 
U.S.  tech  vendors  don’t  want  their  services. 

Foreign  affairs 

Many  U.S.  tech  companies  want  more  H-1B 
visas  so  they  can  hire  cheaper  foreign  workers, 
contrary  to  the  official  stance  that  tech  compa¬ 
nies  want  to  bring  the  most  talented  tech  work¬ 
ers  to  the  U.S.,  some  critics  say. 

Foreign  visas  are  a  large  part  of  the  prob¬ 
lem  for  veteran  IT  workers,  says  John 
Donaldson,  a  51-year-old  software 
developer  out  of  work  since  October. 
“I  blame  much  of  my  misfortune  on 
the  H-1B  visas  flooding  this  coun¬ 
try.”  When  I  picked  my  computer 
science  major  ...  no  one  told  me  I’d 
be  competing  against  a  huge  tide  of 
foreign  nationals  flooding,  via  dubi¬ 
ous  means,  the  national  job  market 
every  year.” 

In  some  cases,  the  out-of-work  IT 
veterans  have  a  skills  mismatch  with 
the  jobs  available,  says  Bockrath,  of 
Kelly  Services.  Many  companies 
want  experience  in  their  field;  com¬ 
panies  believe  that  developing  apps 
for  the  oil  and  gas  industry  is  differ¬ 
ent  than  developing  mortgage  apps 
for  a  bank,  she  said 
In  other  cases,  candidates  aren’t 
willing  to  move  for  a  job,  says  Bock¬ 
rath.  Veteran  tech  workers  living  in 
areas  of  high  unemployment  “need  to 
be  a  little  more  flexible”  about  relocat¬ 
ing,  she  says. 

Many  of  Kelly’s  corporate  clients 
are  having  trouble  recruiting  IT  work¬ 
ers,  she  says.  In  areas  with  IT  worker 
shortages,  Bockrath  has  advised  cli¬ 
ents  to  consider  remote  workers. 

Many  companies  aren’t  focused  on  retrain¬ 
ing  older  workers,  says  Bill  Peppier,  manag¬ 
ing  partner  at  staffing  firm  Kavaliro. 

Peppier  sees  worker  shortage,  but  he 
believes  more  H-1B  visas  would  be  a  short¬ 
term  fix.  In  the  long-term,  the  U.S.  needs  to 
focus  more  on  developing  its  own  science  and 
technology  workers,  he  says. 

For  McNeight  more  foreign  visas  would, 
at  best,  have  an  indirect  impact  on  his  ability 
to  hire  workers.  Because  his  company  works 
with  the  U.S.  military  and  intelligence  agen¬ 
cies,  most  of  his  programmers  need  security 
clearances.  More  H-lBs  might  fill  open  posi¬ 
tions  at  other  companies,  making  it  easier  for 
him  to  recruit,  he  says.  ■ 


Hire  opportunity 

A  glut  of  high-paying  jobs  in  the  field  of  application 
development  calls  for  highly  skilled  workers. 
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Computer  networks  are  the  core  of 
modern  communication— nearly 
every  facet  of  modern  life  flows 
through  a  computer  network. 


But  today's  networks  have  outstripped  legacy  infrastructure, 
resulting  in  a  complex  landscape  that  lacks  efficiency,  security 
and  reliability.  The  explosion  of  data,  the  growth  of  the  internet, 
social  media  and  cloud  computing  all  demand  a  new  set  of 
network  technologies.  Thanks  to  Ethernet  fabrics  and  Software- 
defined  Networking,  the  future  is  bright  for  networks.  Brocade 
and  IDG  bring  you  this  infographic  overview  of  addressing  the 
complexity  challenge  of  modern  networks. 
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Brocade  and  IDG  bring  you  this  infographic 
overview  of  the  evolution  of  modern  networks. 
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HELPING  CUSTOMERS  UNLEASH  THE 
CLOUD’S  FULL  POTENTIAL  ISN’T  EASY. 
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BUT  DEPLOYING  NEW  CLOUD  SERVICES 
JUST  GOT  EASIER. 


Brocade®  VCS®  Fabric  technology  allows  you  to  treat  an  entire  cluster  of 
switches  as  one,  speeding  configuration  and  automatically  scaling  your 
network  as  business  requires.  Helping  your  customers  meet  the  demands 
of  an  always-on  world  is  your  mission.  Making  networks  easier  to  deploy, 
manage,  and  scale  is  ours.  Let's  work  together,  brocade.com/easy 
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TRANSITIONING  TO  A  HIGHLY  VIRTUALIZED, 
SERVICES-ON-DEMAND  DATA  CENTER  ISN’T  EASY. 
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BUT  DEPLOYING 


MANAGING,  AND  S 
YOUR  NETWORKS  JUST  GOT  EASIER 


Brocade®  helps  you  capitalize  on  today’s  fundamental  IT  transformation  by  delivering 
radically  simplified  architectures  with  data  center-class  performance.  Meeting  the 
increasing  demands  of  a  virtualized  world  is  your  mission.  Making  networks  easier 
to  deploy,  manage,  and  scale  is  ours.  Let’s  work  together. 
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Veteran  tech  workers  see  themselves  locked  out 


BY  GRANT  GROSS,  IDG  NEWS  SERVICE 

MANY  TECH  companies  have  called  for  the 
U.S.  Congress  to  ease  restrictions  on  high-skill 
immigration  because  they  can’t  find  qualified 
tech  workers  to  fill  open  positions.  Yet,  many 
veteran  IT  tech  workers  say  they  can’t  find 
jobs. 

More  than  a  dozen  veteran  IT  workers,  con¬ 
tacted  through  the  Programmers  Guild  and 
high-skill  immigration  critic  Norm  Matloff, 
computer  science  professor  at  the  University 
of  California  at  Davis,  say  they  can’t  find  jobs, 
with  many  pointing  to  a  glut  of  cheap  workers 
available  through  the  H-1B  visa  program. 

Fifty-year-old  Robert  Wade,  who  has  been 
in  the  tech  and  engineering  fields  for  27  years, 
has  worked  10  months  out  of  the  last  40,  he 
says.  It’s  been  eight  months  since  his  last  pay- 
check,  even  though  he  has  a  bachelor’s  degree 
in  electrical  engineering  and  a  master’s  in 
industrial  engineering,  with  an  emphasis  in 
human/computer  interaction  and  user  inter¬ 
face  design. 

A  recent  study  from  left-leaning  think 
tank,  the  Economic  Policy  Institute,  seems  to 
back  up  claims  by  Wade  and  other  veteran  IT 
workers.  The  U.S.  has  plenty  of  workers  in  the 
science  and  technology  fields,  the  EPI  study 
said.  Only  half  of  U.S.  students  who  graduate 
in  the  science,  technology,  engineering  and 
math  (STEM)  fields,  however,  get  a  job  in  those 
fields,  the  study  said. 

The  Information  Technology  Industry 
Council,  a  tech  trade  group,  said  the  EPI 
study  was  “replete  with  faulty  data,  exag¬ 
gerated  claims,  and  plain  wrong  facts.”  The 
study  relies  on  2009  data  when  the  U.S.  was 
still  recovering  from  a  recession,  Robert  Hoff¬ 
man,  ITI’s  senior  vice  president  for  govern¬ 
ment  relations,  wrote. 

Wade,  from  Indianapolis,  Ind.,  says  he’s 
willing  to  move  for  work.  “The  stories  are 
usually  that  they  have  tons  of  locally  unem¬ 
ployed  tech  workers  to  choose  from  so  why 
would  they  want  to  pay  for  me  to  move  there?” 
he  said  in  an  email.  “I’ve  even  offered  to  pay  to 
move  myself,  and  still  nothing.” 

Wade  has  drawn  the  line  at  getting  addi¬ 
tional  training,  however.  “I’ll  take  whatever 
training  a  company  wants  me  to  take,  but 
I’m  not  spending  my  savings  to  get  yet  more 
degrees  and  more  certs  just  hoping  that  some 
company  will  then  hire  me,”  he  says.  “That’s 
all  a  crapshoot.” 

He  may  not  pick  the  right  area  to  focus  on, 
he  says.  “The  only  way  to  know  for  sure  is  if 
a  company  will  pay  you  to  take  the  training. 
That  means  it  has  value  to  them.  I  already 


have  a  stinking  master’s  degree  and  27  years 
of  experience  and  am  having  trouble  finding 
a  job.” 

Wade  and  many  other  out-of-work  IT  vet¬ 
erans  say  it’s  difficult  to  compete  with  lower 
cost  foreign  labor.  “Companies  mostly  just 
want  cheap  workers,  or  they  want  someone 
that  has  already  done  the 
exact  job  they  are  hiring 
for,”  he  says. 

Many  companies  post 
very  specific  job  require¬ 
ments  in  an  effort  to  weed 
out  veteran  workers,  says 
Wade  and  other  experi¬ 
enced  IT  workers.  Veteran 
workers  can  train  them¬ 
selves  in  new  program¬ 
ming  languages  or  tools, 
but  that’s  no  guarantee  of  a 
job,  they  say. 

“Some  areas  are  so  new, 
like  cloud  stuff,  very  few 
people  have  any  experience 
in  that,”  Wade  says.  “So 
whether  they  hire  me,  or  a 
new  citizen  grad,  or  bring  in 
an  H-1B  visa,  they  will  have  to  train  them  all.” 

Veteran  IT  workers  may  have  a  harder  time 
finding  jobs,  especially  if  they  need  employer 
training,  says  Melisa  Bockrath,  vice  presi¬ 
dent  at  Kelly  Services.  “You  can  take  a  kid  out 
of  college  who  has  some  good  core  technical 
skills . . .  and  you  can  put  the  same  amount  of 
training  in  and  get  them  productive  to  your 
specific  application,  and  their  wage  base  is  a 
lot  lower”  than  someone  with  15  or  20  years  of 
experience  in  IT,  she  says. 

Wade’s  story  echoes  those  from  other  vet¬ 
eran  IT  workers. 

John  Donaldson,  a  51-year-old  software 
developer  out  of  work  since  October,  has  been 
keeping  up  with  Hadoop  and  other  hot  skills, 
but  he’s  getting  no  job  offers.  He  also  has  expe¬ 
rience  with  SQL,  Java  programming  and  data 
modeling,  other  supposedly  in-demand  skills. 

“In  the  software  development  field,  you 
either  keep  abreast  of  what’s  current,  or  you 
die,”  he  says. 

Many  companies  looking  for  IT  workers 
are  “overly  picky,”  allowing  them  to  pass  over 
veteran  workers  with  similar,  but  not  the 
exact  experience,  they  want,  says  Donaldson, 
from  Oakland.  “Any  halfway  decent  software 
developer  can  jump  right  into  any  of  those  lan¬ 
guages,”  he  says. 

Bea  Dewing  has  long-term  experience  in 
data  modeling,  one  of  the  IT  skills  that’s  sup¬ 
posed  to  be  hot.  She  has  worked  in  the  tech 


industry  since  1986,  as  a  programmer,  sys¬ 
tems  analyst,  database  designer  and  project 
manager,  and  she’s  been  out  of  work  since 
December. 

"I  have  been  doing  this  type  of  work  since 
I  got  my  B.S  in  computer  science ...  in  1986,” 
she  said.  “I  was  just  turned  down  for  a  job 
after  having  a  very  suc¬ 
cessful  meeting  with  the 
data  management  team  at 
a  large  corporation.  I  was 
assured  by  my  recruiter 
that  they  would  make  an 
offer  within  a  week.  Some¬ 
one  came  in  with  a  cheaper 
person,  so  that  job  is  gone.” 

Dewing,  61,  moved  to 
New  York  City  to  take  a 
project,  then  was  laid  off 
and  replaced  by  a  foreign 
worker,  she  says.  She  has 
relocated  14  times  for  jobs, 
she  says. 

Many  Indian  recruit¬ 
ers  Dewing  has  talked  to 
recently  start  the  conver¬ 
sation  by  low-balling  an 
hourly  rate,  she  says.  “I  personally  find  it 
insulting  to  be  treated  like  a  commodity.”  The 
assumption  seems  to  be,  get  your  rate  low 
enough  and  you’ll  be  hired.” 

Greg  Steshenko,  who  immigrated  to  the 
U.S.  from  the  former  Soviet  Union  in  1987, 
says  he  hasn’t  worked  steadily  since  2002. 
The  resident  of  Silicon  Valley  has  a  master’s 
degree  in  electrical  engineering,  a  bachelor’s 
degree  in  electrical  engineering,  and  he 
received  a  second  bachelor’s  in  biochemistry 
and  molecular  biology  in  2010. 

Steshenko,  51,  has  worked  as  a  nanotechnol¬ 
ogy  engineer,  a  software  engineer  and  a  digital 
hardware  design  engineer.  “I’m  unemployed, 
on  welfare,”  he  said.  “Since  2002, 1  had  just 
very  brief  periods  of  temporary  employment 
as  an  engineer-consultant,  hotel  clerk  and  a 
Home  Depot  associate.” 

He’s  taken  college  courses  throughout  his 
years  of  unemployment,  he  says.  “I’m  over¬ 
educated  and  over-experienced,”  he  added. 
“The  depth  and  breadth  of  my  education  and 
experience  could  hardly  be  matched.  I  am  able 
to  perform  any  job  in  electronics,  program¬ 
ming  and  biomedical  industry,  and  I’d  be  able 
to  come  up  to  speed  within  a  week  or  two.  Still, 
[there’s]  no  job  for  me  in  this  country.” 

Asked  if  he’s  keeping  his  skill  set  current, 
Steshenko  says  it’s  difficult  to  guess  what  hir¬ 
ing  companies  want,  when  technology  is  con¬ 
stantly  changing.  ■ 


"I'll  take  whatever 
training  a  company 
wants  me  to  take, 
but  I'm  not  spending 
my  savings  to  get  yet 
more  degrees  and 
more  certs  just  hoping 
that  some  company 
will  then  hire  me. 

THAT'S  ALL 
A  CRAP¬ 
SHOOT." 

ROBERT  WADE 
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►  SDN,  from  page  20 

the  Amazon  EC2  API,  but  if  you  break  it 
down  there’s  clearly  a  bunch  of  different 
types  of  APIs  put  together.  It  doesn’t  really 
matter  as  much  for  the  programmer  as  long 
as  these  things  are  well  documented,  open 
and  available  to  them  without  changing. 

OK.  And  where  do  we  stand 
in  the  development  of  these 
northbound  APIs?  Has  Big  Switch, 
for  example,  fleshed  any  out? 

With  all  these  things  it’s  a  question  of  what 
you  support.  The  dataset  we  work  on,  both 
Floodlight  [the  open  source  version  of  Big 
Switch’s  controller]  and  our  commercial 
product,  is  actually  able  to  support  a  grow¬ 
ing  list  of  interesting  applications,  but  it’s  not 
everything.  And  what’s  interesting  to  see  is 
that  people  are  extending  the  APIs  to  build 
more  and  more  applications  on  it.  And  to 
pre-empt  maybe  your  next  question  —  how 
close  are  we  to  being  done?  —  we  just  don’t 
know  yet. 

OK.  You  mentioned  some  applications 
that  will  be  able  to  take  advantage 
of  the  northbound  APIs,  but  is  it 
possible  to  categorize  what  will 
likely  emerge?  A  bunch  that  will 
do  X,  others  that  will  do  Y? 

I’m  of  the  belief  that  it  will  be  a  large  class  of 
applications.  I  joke  that  the  killer  app  of  SDN 
will  be  the  long  tail,  which  is  to  say  that  the 
most  interesting  app  will  be  the  wide  variety 
of  apps  that  will  be  made  possible.  But  I  think 
it  will  be  a  large  collection  of  applications. 
I  recently  asked  a  group  of  grad  students, 
“Who’s  going  to  be  the  first  to  create  Farm- 
Ville  for  networking,  some  application  that 
no  one  ever  thought  of,  but  turns  out  to  be 
really  popular?” 

Are  the  legacy  guys,  the  Ciscos  and 
Junipers  of  the  world,  really  keen  on  the 
standardization  of  these  APIs,  or  does 
it  work  against  their  best  interests? 

I  think  they’re  a  little  bit  of  two  minds,  if  I  can 
put  words  in  their  mouths.  Obviously  they 
have  their  own  interests  to  protect,  but  at  the 
same  time  they  see  the  writing  on  the  wall. 
So  they’re  looking  to  be  active  participants 
in  this  and  also  want  to  see  where  it’s  going. 
I  don’t  think  that’s  terribly  different  on  the 
northbound  API  side  vs.  any  other  part  of 
this  issue. 

OK.  The  last  question.  If  this  effort 
to  standardize  the  northbound  APIs 
doesn’t  get  off  the  ground,  are  there 
workarounds  that  would  help  us 
achieve  some  of  the  same  things? 


, 


SDN  abstracts  the  network 

introducing  a  controller  between  the 
applications  and  the  data  handling  devices 
simplifies  operations  and  management 
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vSwitch  ■  mBm  vSwitch 


Let  me  be  very  specific  as  to  what  my  work¬ 
ing  group  is  doing.  Right  now  we’re  only  cat¬ 
egorizing  the  APIs  and  documenting  what 
exists.  We  aren’t  trying  yet  to  standardize 
them.  One  could  imagine  that  would  be  a 
subsequent  step.  It  is  my  personal  belief  that 
we  don’t  need  to  do  this  because  a  standard 
API  doesn’t  exist  in  the  PC  operating  system 
world  or  in  the  mobile  phone  market,  and  if 
we’re  half  as  successful  as  those  markets  then 
I’ll  be  pretty  happy. 

It’s  really  easy  to  pick  a  standard  and  say 
—  OK,  this  is  it,  we’re  done.  But  my  concern 
is  that  if  we  pick  something  now  it  will  be 
wrong  or  incomplete.  That  can  cause  as 
much  or  more  damage  as  not  picking  some¬ 
thing  soon  enough. 

If  a  company  ends  up  with  controllers 
from  multiple  suppliers,  would 
there  be  a  way  of  federating  them 
in  some  sense,  to  reach  some  form 
of  interoperability  without  having 
standard  northbound  APIs? 

Certainly  we  spend  a  fair  amount  of  time 
thinking  about  that,  particularly  with  my  ONF 
hat  on.  It’s  actually  interesting  to  take  a  slightly 
different  question  and  come  back  to  it. 

So  quite  often  in  a  controller  we  have  to 
integrate  with  other  legacy  protocols,  OSPF 
or  BGP,  or  something  like  that.  So  our  control¬ 
ler  already  knows  how  to  talk  with  non-SDN 


devices,  and  my  claim  is  that  other  people 
building  controllers  will  have  to  do  the  same 
thing.  So  if  my  controller  is  willing  to  speak 
BGP  to  something,  and  another  controller  is 
willing  to  speak  BGP  to  me,  that  could  actu¬ 
ally  be  some  sort  of  lingua  franca  between  us. 

OK.  Anything  else  regarding 
this  whole  topic? 

I’m  really  more  of  a  programmer  than  what 
I’d  call  a  standards  wonk,  and  I  think  the 
exactly  wrong  thing  to  do  is  standardize  first 
and  develop  later.  That’s  someone  saying  they 
have  the  answer  and  we  should  set  it  in  stone. 
There’s  still  a  lot  of  development  and  experi¬ 
mentation  that  needs  to  be  done.  So  that’s  how 
I  fill  a  lot  of  my  time,  just  trying  to  develop  and 
experiment  with  these  APIs. 

Are  there  other  people  you’re  working 
with  that  are  fighting  to  do  the  opposite? 

There’s  certainly  a  tension  back  and  forth. 
It  really  comes  down  to  how  right  you  think 
you  are.  There  are  people  who  believe  they 
are  right,  they  have  seen  the  light  and  if 
everyone  would  just  agree,  the  API  should 
be  their  way.  I  think  that’s  going  to  be  true 
independent  of  this  topic  in  any  significant 
body  of  people.  I’m  a  little  more  pragmatic, 
much  more  the  old  rough  consensus  and 
running  code  perspective.  We’ll  see  what 
happens.  ■ 
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Herve  Tardy 

VICE  PRESIDENT  AND 
GENERAL  MANAGER  EATON'S 
DISTRIBUTED  POWER  QUALITY 
DIVISION,  AMERICAS 
Herve  Tardy  is  a  27-year  vet¬ 
eran  in  the  UPS  industry  and 
has  held  multiple  positions  in 
sales,  marketing  and  product 
development.  His  focus  has 
always  been  to  position 
the  UPS  as  an  IT  peripheral 
rather  than  a  simple  electrical 
device,  and  he  has  become  an 
expert  in  power  management 
and  software  communication 
solutions.  In  his  role  at  Eaton, 
Tardy  manages  the  global 
product  roadmap  for  single¬ 
phase  UPSs,  software  and 
connectivity  products.  He  also 
has  global  responsibility  for 
the  Eaton  IT  channel  market¬ 
ing  program. 
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Converged  Infrastructure 

Power  management  calls  for  next-generation  solutions 


As  data  centers  grow,  so  does  the  need  for 
power.  Eaton,  a  leader  in  power  manage¬ 
ment,  is  working  with  partners  to  create 
new  turnkey  solutions  designed  for  virtual 
machines  in  converged  infrastructure  en¬ 
vironments.  Eaton  VP  and  GM  Herve  Tardy 
explains  how  integrated  power  management 
tools  respond  to  the  needs  of  today’s  IT  pros. 

What  is  the  top  issue  that  IT  profession¬ 
als  at  mid  size  businesses  face  regarding 
power  management? 

Energy  efficiency.  They  see  power  demand 
in  the  data  center  going  through  the  roof,  but 
they  don't  know  how  to  curb  it.  But  there  is 
a  new  focus  as  well.  For  years,  IT  profession- 


example,  we  have  new  partnerships  with 
NetApp  and  EMC  that  provide  business 
continuity  to  their  storage  systems  in  case  of 
power  problems. 

Why  is  it  important  to  have  intelligent 
power  management  systems?  And  how 
do  Eaton's  power  solutions  integrate  into 
converged  infrastructures? 

The  power  available  for  the  data  center  is  not 
infinite,  and  IT  managers  are  being  asked 
to  pay  for  the  electricity  they  consume.  As 
people  add  devices,  they  start  to  reach  a  cap, 
and  they  need  a  way  to  manage  the  power 
that  is  available  to  them.  We  have  the  ability 
to  remotely  monitor  power  consumption  for 


To  enable  a  high  level  of  energy  efficiency  and  to  provide 
business  continuity  for  virtual  machines,  we  have  to  be 
integrated  with  the  systems  that  customers  already  have. 


als  have  concentrated  on  servers  and  data 
protection.  Now  they  are  focusing  on  virtual 
machines  and  business  continuity.  Instead  of 
shutting  down  a  server  during  an  extended 
power  failure,  they  want  to  move  the  virtual 
machine  from  one  location  to  another  where 
there  is  power. 

What  is  Eaton's  approach  to  these  needs? 

To  enable  a  high  level  of  energy  efficiency 
and  to  provide  business  continuity  for  vir¬ 
tual  machines,  we  have  to  be  integrated  with 
the  systems  that  customers  already  have. 

We  did  a  survey  and  found  that  IT  managers 
have  between  seven  and  42  different  man¬ 
agement  systems,  but  ideally  they’d  like  to 
manage  only  two.  So  we  didn’t  want  to  come 
up  with  yet  another  management  system. 

From  a  business  value  standpoint,  the 
speed  of  implementation  is  important. 

That’s  why  we  developed  plug-in  energy 
management  modules  that  work  with  serv¬ 
ers  running  VMware,  Citrix  and  Microsoft 
System  Center.  For  the  IT  manager,  that 
means  accessing  power  is  just  another  tab 
on  the  dashboard.  Now  we’re  expanding 
this  integration  into  the  storage  world.  For 


each  device  connected  to  a  power  distribu¬ 
tion  unit,  and  the  system  is  smart  enough  to 
identify  when  there  are  too  many  systems  in 
a  rack  and  it  is  exceeding  the  capacity  of  the 
power  line. 

Converged  infrastructure  types  of  solu¬ 
tions,  such  as  the  FlexPod  platform  from 
Cisco  and  NetApp,  are  fully  optimized 
integrated  solutions,  which  means  they  are 
more  energy-efficient  than  multiple  systems 
in  a  rack.  But  Eaton  is  taking  it  a  step  further 
through  several  reference  designs  that  we’re 
releasing  for  the  FlexPod  model,  adding 
smart  power  to  the  integrated  architecture. 

Will  we  see  other  Eaton  partnerships  in 
the  converged  infrastructure  space? 

You  will.  An  integrated  turnkey  solution 
based  on  FlexPod,  with  integrated  Eaton 
technology,  saves  IT  people  time  and  ex¬ 
pense  of  evaluating  products  separately.  We 
are  partnering  with  other  leading  IT  compa¬ 
nies  that  have  a  presence  in  the  converged 
infrastructure  market  to  come  up  with  refer¬ 
ence  designs  to  integrate  power  into  their 
systems.  It  may  not  bear  the  Eaton  logo,  but  it 
will  benefit  the  customer. 
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TOOLS 

No  more  Adobe  Dreamweaver, 
so  how  about  Xara  Web  Designer? 


f  you’re  doing  serious  Web  content  engi¬ 
neering  you  might  well  choose  an  all-singing, 
all-dancing  product  such  as  Adobe’s  Dream¬ 
weaver.  The  latest  version  of  Dreamweaver  in 
Adobe’s  Creative  Suite  6  (released  just  over  a 
year  ago)  was  really  impressive,  but  with  a  list 
price  of  $399  (although  I’ve  seen  it  online  for 
$140),  Dreamweaver  was  overkill  for  many  people 
and  now  it’s  not  even  available.  In  preparation  for 
Creative  Cloud,  the  next  iteration  of  Creative  Suite,  Adobe  pulled  all  of  the 
CS6  products,  including  Dreamweaver,  from  its  online  store  earlier  this 
month,  much  to  the  intense  anger  of  many  customers. 


Mark  Gibbs’  Gearhead 


The  problem  users  have  with  Creative 
Cloud  is  all  the  applications  will  be  totally 
cloud-based  and  only  available  on  a  sub¬ 
scription  basis.  Needless  to  say  this  will  not 
be  less  expensive  than  the  CS6  version,  nor 
will  it  address  the  needs  of  smaller  organiza¬ 
tions.  To  date  almost  13,700  people  have 
signed  a  petition  asking  Adobe  to  reconsider. 

I  predict  that  if  Adobe  doesn’t  change 
course  it  will  lose  a  lot  of  market  enthusiasm, 
which  could  end  the  dominance  of  applica¬ 
tions  such  as  Dreamweaver  and  Photoshop. 
In  fact,  a  new  OS  X-only  product,  Pixelma- 
tor,  looks  like  it  could  well  take  the  shine 
off  Photoshop,  and,  at  $14.99  vs.  Photoshop 
CS6’s  list  price  of  $699,  it  may  well  steal 
away  many  Photoshop  adherents. 

Be  that  as  it  may,  if  you’re  looking  for 
a  more  affordable  and  easier  to  use  Web 
development  system  than  Dreamweaver,  I 
may  have  just  the  thing  for  you:  Xara  Web 
Designer  9. 

X  WD,  available  for  Windows  only,  has  a 
very  clever  orientation:  It  makes  assembling 
Web  content  feel  more  like  using  a  desktop 
publishing  system  than  anything  else.  To 
build  a  page,  you  simply  drag  and  drop  page 
components  (images,  graphics,  text  and 
widgets)  onto  the  page,  position  them,  add 


behaviors  such  as  mouse-over  effects  and 
how  components  “repel”  text  (this  allows 
text  to  flow  around,  for  example,  an  image  or 
another  block  of  text),  and  attach  hyperlinks 
to  components. 


I  predict  that  if  Adobe 
doesn’t  change  course 
it  will  lose  a  lot  of  mar¬ 
ket  enthusiasm,  which 
could  end  the  dominance  of 
applications  such  as  Dream¬ 
weaver  and  Photoshop. 


You  can  also  place  objects  on  layers,  set 
objects  to  appear  on  every  page  of  the  site 
you  create,  and  XWD  comes  with  templates 
that  you  can  simply  drag  from  the  template 
gallery  onto  the  work  area.  You  can  even 
drag  single  pages  from  a  different  template 
into  a  website  you’re  building  and,  if  you 
want,  XWD  will  modify  the  new  content  to 


match  the  styles  you’ve  set. 

XWD  comes  in  two  versions:  Web 
Designer  9  ($49.99)  and  Web  Designer  9 
Premium  ($99.99).  The  latter  adds,  among 
other  things,  more  templates,  e-commerce 
widgets,  Flash  and  GIF  animations,  embed¬ 
ded  fonts,  page  turn  animations,  layer 
transitions  and  support  for  Google  Fonts. 

The  templates  are  engineered  to  be  com¬ 
patible  with  both  Android  and  iOS  clients 
and  touchscreens.  There’s  also  built-in 
HTML5  support  that  ensures  that  audio 
and  video  on  your  website  will  play  on  iOS. 
Widgets  include  Google  Maps,  Facebook 
Like  and  Twitter  buttons,  Picasa  photo 
albums,  Flickr  slideshows,  YouTube  mov¬ 
ies,  forms,  news  feeds,  photo  and  content 
slideshows,  interactive  charts  and  graphs, 
and  e-commerce  support  for  PayPal,  eBay 
To  Go  and  Amazon. 

You  can  add  videos,  audio  and  PDFs,  and 
publish  to  websites  via  FTP.  With  the  Pro 
version  you  can  also  show  your  site  using 
the  built-in  Web  meeting  service,  and  export 
it  as  a  Flash  presentation  or  in  various 
graphics  formats. 

I  tested  Xara  Web  Designer  9  Premium 
and  I  love  it.  There  are  a  few  idiosyncrasies 
that  may  take  a  little  research  to  understand 
(for  example,  to  create  text  you  choose  the  text 
tool,  but  if  you  just  put  the  text  cursor  on  the 
page  and  start  typing  you’ll  create  a  text  line, 
while  if  you  start  by  dragging  the  text  cursor 
across  an  area  you’ll  create  a  text  box . . .  the 
latter  can  be  resized  but  not  the  former)  but  it 
works  well,  it’s  stable,  and  it  produces  really 
good-looking,  sophisticated  content  very 
easily.  Xara  Web  Designer  9  Premium  gets  a 
Gearhead  rating  of  5  out  of  5.  ■ 

Gibbs  is  impressed  in  Ventura,  Calif.  Publish 
your  feedback  at  gearhead@gibbs.com 
and  follow  him  on  Twitter  and  App.net  (@ 
quistuipater)  and  on  Facebook  (quistuipater). 
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GADGETS 

DAS  Keyboard  gets  quieter;  portable 
speaker  lets  you  groove  on  the  road 


Keith  Shaw’s 
Cool  Tools 


Das  Keyboard 
Professional 
with  Quiet 
Key  Design 

by  Das  Keyboard,  about  $150 

►  What  it  is:  This  is  the  latest  high-per¬ 
formance  mechanical  keyboard  from  Das 
Keyboard.  It’s  similar  to  its  other  Profes¬ 
sional  models,  but  the  biggest  difference  is 
the  “quiet  key  design”  that  reduces  the  noise 
made  by  typists  with  the  keyboard.  The 
company  says  the  keyboard  requires  less 
force  to  type  —  45g  instead  of  55g  to  60g  for 
other  keyboards. 

Like  other  models  from  Das  Keyboard, 
this  version  includes  gold-plated  mechani¬ 
cal  key  switches,  two  USB  2.0  ports  (for 
powering  other  USB-enabled  devices),  a  6.6- 
foot  USB  cable  to  attach  to  your  computer 
(or  USB  hub)  and  special  function  keys  that 
can  control  the  computer’s  volume,  play/ 
pause,  etc. 

►  Why  it’s  cool:  I’ve  been  a  fan  of  Das 
Keyboard  for  many  years  now  —  for  fast 
touch-typists  or  people  who  do  a  lot  of  cod¬ 
ing,  the  tactile  response  and  fast  keyboard¬ 
ing  rates  let  you  type  much  faster  than  on 
other  standard  keyboards.  The  new  quiet 
key  functionality  works  better  for  those 
times  when  you’re  taking  notes  on  a  Skype 
call,  videoconference  or  other  situations 
where  you  need  to  be  quiet.  While  I  still 
prefer  the  clickety-clackety  sounds  that  the 


other  Professional  model  makes,  this  quiet 
version  didn’t  lose  any  points  in  terms  of 
typing  speed  or  accuracy.  I’m  sure  some 
of  my  co-workers,  who  seemed  slightly 
annoyed  when  I  was  in  a  typing  groove,  will 
appreciate  the  lower  noise  created  by  this 
keyboard. 

►  Some  caveats:  The  addition  of  a  blue 
FN  key  (that  activates  the  media  controls 
on  the  top  function  keys)  on  the  bottom-left 
side  of  the  keyboard  reduces  the  size  of  the 
Windows  key,  which  is  used  by  Macintosh 
systems  as  the  Command  key.  This  adds 
some  difficulty  to  keyboard  shortcuts  like 
Command-C  (copy)  or  Command-V  (paste) 
for  Mac  users. 

Das  Keyboard  does  make  a  keyboard 
aimed  at  Mac  users  where  the  Windows  key 
is  replaced  by  a  larger  Command  key,  but 
this  does  not  include  the  Quiet  Key  design. 

►  Grade  ★★★★  (out  of  five). 


►  What  it  is:  This  device  is  a  small  and 
portable  speaker  system  that  provides  addi¬ 
tional  audio  for  Bluetooth-enabled  devices, 
including  your  computer,  smartphone, 
music  player  or  tablet.  The  GOgroove  Blue- 
SYNC  can  easily  connect  to  those  devices 
from  up  to  30  feet  away,  and  is  powered 

by  a  removable  rechargeable  battery  with 
up  to  eight  hours  of  battery  life.  A  power 
charging  cable  is  included  to  run  the  device 
via  wall  outlet  or  your  computer’s  USB  port. 
In  addition,  an  AUX  port  can  provide  wired 
support  for  non-Bluetooth  audio  devices, 
and  it  comes  with  a  carrying  case. 

►  Why  it’s  cool:  The  speaker  is  very  nicely 
designed  —  it’s  wider  than  it  is  tall,  with 
curved  edges  and  a  nice  red  and  blue  light 
that  would  fit  in  well  into  any  decorative 
situation  (on  a  shelf,  on  your  desk,  etc.).  The 
speaker  can  also  connect  to  your  phone  to 
provide  better  speakerphone  ability  for 
conference  calls. 

►  Some  caveats:  The  sound  quality  wasn’t 
the  best  I’ve  ever  heard  from  a  Bluetooth 
portable  speaker  (I’m  still  a  fan  of  the 
Jawbone  Jambox  models),  but  it  should  still 
suffice  for  users  who  aren’t  extremely  picky 
about  the  audio  quality  of  their  speakers  or 
needs  an  inexpensive  travel  speaker. 

►  Grade  ★★★★ 

Shaw  can  be  reached  at  kshaw@nww.com. 
Follow  him  on  Twitter:  @shawkeith. 
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GOgroove 
BlueSYNC 
SRC  Portable 
Bluetooth 
Speaker  and 
Receiver 

by  AccessoryPower.com, 
about $50 


THE 

SCOOP 
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ILLUSTRATION:' JEFFREY  SMITH 


When  the  moderator  of  a  panel  discussion  at 
the  recent  RSA  conference  asked  the  audience  how 
many  thought  their  risk  management  programs  were 
successful,  only  a  handful  raised  their  hands.  So  Network 
World  Editor  in  Chief  John  Dix  asked  two  of  the  experts 
on  that  panel  to  hash  out  in  an  email  exchange  why 
these  programs  don’t  tend  to  work. 

Alexander  hutton  (top  right)  is  director  of  operations 
risk  and  governance  at  a  financial  services  firm  (that 
he  can’t  name)  in  the  Greater  Salt  Lake  City  area,  and 
jack  jones  is  principal  and  co-founder  of  CXOWARE 
Inc.,  a  SaaS  company  that  specializes  in  risk  analysis 
and  risk  management. 
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JONES:  Risk  management  programs 
don’t  work  because  our  profession  doesn’t, 
in  large  part,  understand  risk.  And  without 
understanding  the  problem  we’re  trying 
to  manage,  we’re  pretty  much  guaranteed 
to  fail.  The  evidence  I  would  submit  includes: 

la  INCONSISTENT  DEFINITIONS  FOR 

RISK.  Some  practitioners  seem  to  think  risk 
equates  to  outcome  uncertainty  (positive  or 
negative),  while  others  believe  it’s  about  the 
frequency  and  magnitude  of  loss.  Two  funda¬ 
mentally  different  views.  And  although  I’ve 
heard  the  arguments  for  risk  equals  uncer¬ 
tainty,  I  have  yet  to  see  a  practical  application 
of  the  theory  to  information  security.  Besides, 
whenever  I’ve  spoken  with  the  stakeholders 
who  sign  my  paychecks,  what  they  care  about 
is  the  second  definition.  They  don’t  see  the 
point  in  the  first  definition  because  in  their 
world  the  “upside”  part  of  the  equation  is 
called  “opportunity”  and  not  “positive  risk.” 

2b  INCONSISTENT  USE  OF  TERMINOLOGY. 

This  relates,  in  part,  to  the  previous  point. 

If  we  don’t  understand  the  fundamental 
problem  we’re  trying  to  manage  then  we’re 
unlikely  to  firmly  understand  the  elements 
that  contribute  to  the  problem  and  establish 
clear  definitions  for  those  elements.  I  regu¬ 
larly  see  fundamental  terms  like  threat,  vul¬ 
nerability  and  risk  being  used  inconsistently, 
and  if  we  can’t  normalize  our  terms,  then 
there  seems  to  be  little  chance  that  we’ll  be 
able  to  normalize  our  data  or  communicate 
effectively.  After  all,  if  one  person’s  “threat” 
is  another  person’s  “risk”  and  yet  another 
person’s  “vulnerability,”  then  we  have  a 
big  problem.  How  much  credibility  would 
physics  have  if  physicists  were  inconsistent 
in  their  use  of  fundamental  terms  like  mass, 
weight  and  velocity? 

3a  THE  COMMON  VULNERABILITY  SCOR¬ 
ING  SYSTEM  (CVSS)  is  my  favorite  whipping 
post,  but  only  because  it’s  perhaps  the  most 
widely  used  model.  There  are  others  that  are 
just  as  bad,  if  not  worse.  CVSS,  for  example, 
claims  to  evaluate  the  risk  associated  with  its 
findings,  but  nowhere  in  its  measurements 
or  formulas  does  it  consider  the  likelihood 
of  an  attack.  Without  that  variable,  it  misses 
the  mark  entirely.  It  has  other  problems 
too  —  complex  math  on  ordinal  values  and 
accounting  for  variables  in  the  wrong  part 
of  their  equations,  etc.  At  least  the  folks  who 
oversee  CVSS  recognize  some  of  its  problems 
and  are  trying  to  evolve  it  over  time. 

4b  EVERY  TIME  (AND  I  DO  MEAN  EVERY 
TIME)  I  GET  TO  LOOK  AT  THE  ENTRIES  IN 
AN  ORGANIZATION’S  RISK  REGISTER,  I  see 

a  fundamental  problem.  Most  of  the  entries 


“The  key  to  success  in  security 
and  risk  for  the  foreseeable  future 
is  going  to  be  data  science.” 

ALEX  HUTTON 


reflect  control 
deficiencies 
like  “failure 
to  patch  in 
a  timely 
manner.”  The 
problem  is  these  risk  registers  also  require 
the  user  to  provide  a  likelihood  and  impact 
rating  for  the  issue  and  the  users  invari¬ 
ably  rate  the  likelihood  of  that  deficiency 
occurring,  and  the  impact  of  some  event  that 
might  occur  as  a  result.  That’s  like  saying 
every  time  the  batteries  on  a  smoke  detector 
fail  the  house  will  burn  down.  The  result  in 
most  cases  is  grossly  overstated  risk  ratings, 
which  leads  either  to  people  ignoring  the  risk 
register  because  they  intuitively  sense  it’s 
inaccurate  or,  maybe  worse,  actually  letting 
it  guide  their  decisions.  If  you’re  going  to  use 
likelihood  and  impact  ratings,  it  only  makes 
sense  to  do  so  on  scenarios  that  represent  an 
actual  loss  event  —  e.g.,  compromise  of  sensi¬ 
tive  data  via  a  malware  attack. 

Let  me  add  one  more  thing  that  might 
help  to  put  it  into  perspective.  In  order  to 
manage  an  organization  cost-effectively, 
decision-makers  have  to  make  well-informed 
decisions.  In  order  to  make  well-informed 
decisions,  they  have  to  be  able  to  compare  the 
issues  on  their  plates,  including:  opportuni¬ 
ties,  operational  costs  and  risk  issues  of  dif¬ 
ferent  flavors.  In  order  to  make  these  effective 
comparisons  they  have  to  have  meaningful 
measurements  (apples  to  apples), 
and  in  order  to  have  mean¬ 
ingful  measurements  you 
have  to  have  an  accurate 
model  of  the  problem 
to  be  measured,  which 
will  inform  you  on  what 
to  measure  and  how  to  use  the  measure¬ 
ments.  Recognizing  that  no  model  is 
perfect,  our  industry  has  operated  from 
models  that  are  so  badly  broken  that  the 
ability  to  manage  risk  cost-effectively  is  a 
complete  crapshoot. 

HUTTON:  Why  do  most  risk  manage¬ 
ment  programs  fail?  My  take: 

1b  WE  THINK  WE  UNDERSTAND  RISK.  But, 
similar  to  Jack’s  thoughts,  the  reality  is,  what 
is  risk?  What  creates  it  and  how  is  it  mea¬ 
sured?  These  things  in  and  of  themselves 
are  evolving  hypotheses.  Our  practitioners 
—  industry  groups  like  (ISC)2  and  ISACA, 
standards  bodies  like  NIST  and  the  ISO  —  all 
their  efforts  are  focused  on  telling  you  what 
to  do,  when  the  fact  is  that  they  shouldn’t  be. 
Formalizing  risk  standards  and  models  is 
counterproductive  to  innovation. 

An  analogy:  What  if  100  years  ago  the 
International  Standards  Organization  for 


Physics  (ISOP)  settled  on  J.J.  Thomson’s 
plum  pudding  model  of  atomic  theory  (in 
which  atoms  were  thought  to  contain  elec¬ 
trons),  and  then  decided  not  to  implement 
scientific  method  to  disprove  that  model? 
Now,  what  if  ISOP  created  a  document  that 
formalized  the  pudding  model  and  industry 
and  science  had  to  simply  then  take  that  pud¬ 
ding  model  as  “the  way  to  do  things”?  And 
what  if  practitioners  suffered  negative  incen¬ 
tives  should  they  think  of  innovating  beyond 
that  model?  That’s  exactly  what  our  industry 
is  doing  to  us.  And  the  current  geopolitical 
marketing  around  “cyber”  isn’t  helping. 

2b  WE  DON’T  KNOW  HOW  TO  VALUE  A  RISK 
AND  METRICS  PROGRAM.  There  is  a  Catch-22 
around  ROI.  Most  people  won’t  invest  in  risk 
and  metrics  until  they  understand  the  value 
(the  business  case).  But  getting  those  value 
statements  to  make  that  business  case?  Well, 
that  requires  a  strong  investment  in  a  risk 
and  metrics  program. 

3b  BIAS.  Without  strong  data  and  formal 
methods  that  are  widely  identified  as  useful 
and  successful,  the  overconfidence  effect  (a 
serious  cognitive  bias)  is  deep  and 
strong.  Combined  with  the  stress 
of  our  thinning  money  and  time 
resources,  this  overconfidence 
effect  leads  to  a  generally  dismis¬ 
sive  attitude  toward  formalism.  In 
fact.  I’ve  seen  the  overconfidence  effect 
happen  even  when  practitioners  have  some 
of  the  greatest  data  in  the  world  at  their 
fingertips! 

Thus  we  find  ourselves  (as  an  industry)  in 
a  similar  Catch-22  to  the  above:  We  don’t  get 
the  strong  formal  methods  we  may  all  agree 
we  want  in  order  to  be  data-driven,  because 
we  don’t  believe  that  we  personally  need 
them.  But  until  we  recognize  that  we  need 
them  we  won’t  contribute  to,  and  thus 
receive,  their  development. 

LAZINESS.  Most  people  want  this 
all  handed  to  them  on  a  plate.  If  we’re 
realistic  with  ourselves  we  all  are  wait¬ 
ing  for  some  1U  box  to  come  deliver  our 
risk  and  metrics  for  us.  We  don’t  want 
to  actually  work  for  a  rational  approach 
to  security.  In  the  meantime,  it’s  much 
easier  to  buy  a  bunch  of  managed  ser¬ 
vices,  1U  appliances,  and  roll  the  dice 
hoping  that  tomorrow  isn’t  the  day  we 
get  owned. 
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JONES:  As  usual,  Alex  nails  some  critical 
and,  in  some  ways  subtle,  points.  I  particu¬ 
larly  like  his  observation  that  our  industry 
thinks  it  understands  risk.  This  creates 
numerous  challenges,  not  the  least  of  which 
is  that  I  suspect  it’s  much  more  difficult  get¬ 
ting  people  to  shift  paradigms  than  to  adopt  a 
net-new  paradigm. 

So,  it  seems  that  “all”  we  have  to  do  to  make 
infosec  risk  programs  successful  is: 

■  Fix  a  flawed  belief  system  (or  systems) 

■  Resolve  a  chicken  vs.  egg  problem 
related  to  metrics 

■  Compensate  for  human  bias 

■  Make  it  simple  enough  for  people  who 
want  it  handed  to  them  on  a  platter 

No  problem. 

Actually,  the  good  news  is  we’re  begin¬ 
ning  to  see  more  mature  approaches  to  risk, 
although  it  feels  like  painfully  slow  progress 
sometimes.  There  are  also  methods  for  deal¬ 
ing  with  human  bias,  if  people  are  willing  to 
learn  and  apply  those  methods.  As  for  sim¬ 
plicity,  it’s  not  as  hard  as  it  seems.  Some  of  the 
difficulty  is  perception  only,  and  some  of  the 
rest  can  be  resolved  with  time.  Of  course,  I’m 
skeptical  that  a  1U  box  for  risk  will  ever  be 
the  end  game. 


The  bad  news  is  there  is  tremendous  iner¬ 
tia  to  overcome,  especially  since  the  infosec 
profession  is  not  the  only  risk  discipline 
that  doesn’t  fundamentally  “get”  risk.  This 
presents  a  challenge  because  I  commonly 
hear  people  say,  “Risk  has  been  dealt  with  for 
a  long  time,  so  we  should  just  do  what  other 
disciplines  have  done.” 

Great  idea,  in  theory.  But  we  have  to 
be  very  careful  about  how  much  faith  we 
put  into  existing  risk  models,  particularly 
operational  risk  models.  Some  of  the  widely 
used  stuff  out  there  is  laughable  when  it’s 
put  under  a  magnifying  glass.  I’d  be  curi¬ 
ous  about  whether  Alex  has  had  the  same 
observations. 

A  final  point  I’ll  make  is  that  every  infosec 
program  is  a  risk  program,  whether  we 
choose  to  recognize  it  and  treat  it  that  way 
or  not  because,  at  the  end  of  the  day,  the  only 
value  proposition  infosec  policies,  processes 
and  technologies  have  is  their  effect  on  an 
organization’s  loss  exposure  —  the  frequency 


and  magnitude  of  loss. 

The  problem  is,  as  an  industry  we  don’t 
commonly  put  it  in  those  terms  and  we 
haven’t  been  measuring,  managing  and 
expressing  it  in  those  terms.  As  a  result,  the 
policies,  processes  and  technologies  that  we 
use  are  not  well  understood  in  terms  of  their 
effect  on  that  value  proposition,  which  means 
that  the  cost-effectiveness  of  most  infosec/risk 
programs  is  a  crapshoot.  Do  you  agree,  Alex? 

HUTTON:  Regarding  Jack’s  question  if  I 
agree  that  we  have  to  be  careful  about  how 
much  faith  we  put  into  existing  risk  models, 

I  would  say  it  depends  <grin>.  Uncertainty 
is  hard  regardless  of  discipline.  What  I  have 
found  is  that  some  disciplines,  in  theory  at 
least,  have  a  more  rational  approach  to  how 
they  try  to  understand  that  uncertainty  than 
others.  Some  are  very  scientific,  others  not 
so  much.  The  message  I’ve  been  stumping  for 
the  past  few  years  is  that  our  industry  should 
be  very  pro-science. 

Now,  “How  to  be  pro-science?”  “What  does 
it  mean  to  be  pro-science  as  an  industry?” 
There  aren’t  easy  answers  to  these  questions. 
And  we  shouldn’t  expect  “easy.”  The  search 
for  truth,  the  search  for  knowledge  and  mean¬ 
ing...  these  quests 
are  rarely  simple 
or  easy. 

But  yes,  I  look 
at  much  of  what 
is  called  “risk 
management”  and 
laugh  because  the 
only  other  alterna¬ 
tive  is  to  weep. 

As  to  Jack’s 
other  question 
about  whether  I  agree  with  the  notion  that 
the  cost  effectiveness  of  most  infosec/risk 
programs  is  a  crapshoot,  yes,  absolutely.  But 
more  than  that,  I  think  there  has  been  form¬ 
ing  for  some  time  a  question  about  what  the 
role  of  a  risk  management  program  is.  This 
formalization  has  been  very  control-focused, 
thanks  in  no  small  part  to  the  “GRC”  meme. 
But  if  you  take  the  mind  set  that  governance 
should  be  driven  by  metrics,  that  all  metrics 
(governance,  performance,  etc.)  have  some 
risk  meaning  (even  if  we  don’t  have  a  model 
that  directly  accounts  for  it  yet),  then  it  may  be 
time  to  remove  the  control  focus  and  switch  to 
a  data-science  focus. 

What  that  means  is  a  great  question.  And 
an  exciting  one. 

JONES:  I  couldn’t  agree  more  with  Alex’s 
statement  about  this  being  an  exciting  time  for 
those  in  our  industry  who  are  focused  on  the 
risk  perspective.  We  have  the  opportunity  to 
break  new  ground  —  establish  a  new  science, 


if  you  will.  What  could  be  more  fun  than  that? 
There’s  still  so  much  to  figure  out! 

Of  course,  there  are  significant  challenges 
too,  some  of  which  we’ve  talked  about  or 
alluded  to  here  already.  For  example,  you’d 
better  come  to  the  table  with  thick  skin 
because  people  are  going  to  be  sniping  at 
you  constantly.  You’ll  be  challenging  con¬ 
ventional  “wisdom”  and  the  status  quo,  and 
that  makes  you  a  target.  You’d  also  better 
be  comfortable  with  being  proven  wrong 
because,  well,  sometimes  you  will  be. 

The  upside  is  significant,  though.  The 
industry  seems  to  be  firmly  headed  toward 
an  adoption  of  risk,  particularly  quantita¬ 
tive  statements  of  risk.  So  if  someone  wants 
to  be  well-positioned  for  jobs  and  promo¬ 
tions  in  the  future,  and/or  if  you  want  to 
put  your  stamp  on  the  next  generation  of 
information  risk  management,  then  this  is  a 
great  time. 

And  those  who  are  concerned  that  maybe 
they  don’t  have  a  strong  enough  math  back¬ 
ground  for  this  stuff,  rest  easy.  Math  isn’t 
the  challenge.  What  you  do  need  are  critical 
thinking  skills  —  the  ability  to  think  beyond 
the  superficial  veneer  of  current  practices. 
This  requires  a  willingness  to  look  at  what 
the  industry  (and  sometimes  you,  yourself) 
have  been  doing  for  years  and  realize  it 
doesn’t  make  any  sense.  Sometimes  it’s  been 
embarrassingly  wrong.  Challenge,  continu¬ 
ally  challenge,  “best  practices.” 

HUTTON:  Let  me  end  with  this:  The  key 
to  success  in  security  and  risk  for  the  foresee¬ 
able  future  is  going  to  be  data  science.  In  fact, 
in  my  opinion,  all  the  hype  around  “big  data” 
is  sorely  misplaced.  Let  me  explain.  For  the 
past  20  years  we’ve  focused  on  the  existence 
of  the  control  over  the  skillful  operation  of 
a  series  of  controls.  We’ve  become  a  culture 
of  “installers”  and,  to  wit,  we’ve  built  a  false 
religion  about  how  our  controls  “protect”  us 
at  the  expense  of  really  understanding  how 
they  “inform”  us. 

It’s  worth  noting  that  our  approach  to  the 
concept  of  compliance  feeds  this  culture,  our 
approach  to  creating  standards  feeds  this 
culture,  our  approach  to  audit  feeds  this  cul¬ 
ture  ...  we  have  multiple  perverse  incentives 
that  cause  us  to  not  focus  on  that  which  has 
demonstrably  been  shown  to  secure  [skillful 
operations].  The  good  news  is  that  one  thing 
that  can  change  this  culture  is  a  move  toward 
data-centric  or  evidence-based  risk  manage¬ 
ment  approach. 

The  bad  news  is  that  this  myopic  installer/ 
protection  focus  problem  we  have  is  going  to 
be  accentuated  as  CISOs  go  out  and  invest 
in  the  technology  of  big  data  without  under¬ 
standing  the  people  and  process  needs  of  risk 
and  security  data  science.  ■ 


“We  have  the  opportunity  to 
break  new  ground  —  establish 
a  new  science,  if  you  will.” 

JACK  JONES 
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TWO  FACTOR  AUTHENTICATION 

Two-factor  authentication  phones  home 

SecureAuth  IdP  wins  test  of  8  software-based  authentication  systems 


BY  DAVID  STROM 

We  all  know  that  relying 
on  a  simple  user  ID  and 
password  combination 
is  fraught  with  peril.  One 
alternative  is  to  use  one  of 
the  single  sign-on  solutions  we  reviewed  last 
year,  but  there  are  less  expensive  options  that 
could  also  be  easier  to  install. 

That’s  where  two-factor  authentication 
services  come  into  play.  Years  ago,  vendors 
came  out  with  hardware-based  two-factor 
authentication:  combining  a  password  with 
a  token  that  generates  a  one-time  code.  But 
toting  around  tokens  means  that  they  can  get 
taken,  and  in  a  large  enterprise,  hard  tokens 
are  a  pain  to  manage,  provision  and  track. 

Enter  the  soft  token,  which  could  mean 
using  a  smartphone  app,  SMS  text  message, 
or  telephony  to  provide  the  extra  authen¬ 
tication  step.  We  reviewed  eight  services 


CLEAR 


that  support  up  to  five  kinds  of  soft  tokens: 
Celestix’s  HOTPin,  Microsoft’s  PhoneFactor, 
RSA’s  Authentication  Manager,  SafeNet’s 
Authentication  Service,  SecureAuth’s  IdP, 
Symantec’s  Validation  and  ID  Protection  Ser¬ 
vice  (VIP),  TextPower’s  TextKey  and  Vasco’s 
Identikey  Authentication  Server. 

Other  vendors  including  Authentify, 
BehavioSec,  ESET,  PortalGuard,  TeleSign, 
Trustwave  and  Yubico  either  declined  to  par¬ 
ticipate  or  didn’t  quite  fit  into  the  review  set. 

All  of  the  products  in  our  review  offer  some 


form  of  centralized  management,  and  the 
ability  to  integrate  additional  authentication 
step  into  a  series  of  application  servers,  VPNs 
and  Windows  Active  Directory  logins. 

The  two-factor  methods  we  tested  harden 
your  logins  in  one  of  three  basic  operational 
ways: 

■  Those  that  augment  traditional  RADIUS 
or  Active  Directory  identities  to  validate 
the  user.  In  this  scenario,  the  identity 
request  is  passed  from  AD  or  a  VPN  to 
the  two-factor  server  for  the  additional 
authentication  step  before  being  allowed 
to  log  in  to  AD. 

■  Those  that  work  as  the  identity  provider 
to  a  Web  service,  such  as  with  Google 
Docs  or  Salesforce.com  cloud  apps.  In  this 
case,  the  request  uses  Security  Asser¬ 
tion  Markup  Language  (SAML)  and 
trusted  certificates  between  the  app  and 
the  two-factor  server  for  the  additional 
authentication  step.  The  advantage  is  that 


PRODUCTSUMMARYTABLE  iiiiiiiitmiiiiiiiiiiiiiiiiimiiiiiiiiiiiiiiiimiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 


Vendor 

Price  per 

100  tokens 
per year 

Components 

Mobile  OS 
supported 

Types  of  tokens 

Operational 

methods 

Celestix  HOTPin  v3.5 

$5,995  +  support 

Windows  Server 
2008  R2  or 
appliance 

Windows, 

Android,  iOS, 
BlackBerry 

S,  A,  E,  H 

RADIUS/AD 

Microsoft/ 
PhoneFactor  v5.0.9 

$2,500 

Cloud  +  Windows 
agent 

Windows, 

Android,  iOS 

V,  S,  A 

RADIUS/AD, 

SAML,  Web  code 

RSA  Authentication 
Manager  v8 

$13,525 

Appliance  or  VM 
+  many  agents 

Windows, 

Android,  iOS, 
BlackBerry,  Java 

S,  A,  E,  H 

RADIUS/AD,  SAML(l) 

SafeNet 

Authentication 

Service  v3.2 

$2,520 

Cloud  service 
or  appliance  + 
many  agents 

Windows, 

Android,  iOS, 
BlackBerry,  Java 

S,  A,  H 

RADIUS/AD, 

SAML,  Web  code 

SecureAuth  IdP 

$1,950 

Appliance  or 
cloud-based 

iOS,  Android  (2) 

V,  S,  E,  H 

RADIUS/AD,  SAML 

Symantec  VIP 

$9,500  for  3 
years (3) 

Cloud  service  + 
many  agents 

Windows, 

Android,  iOS, 
BlackBerry 

V,  S,  A,  H 

RADIUS/AD, 

Web  code 

TextPower  TextKey 

$2,400 

Cloud  service 

Any  mobile 
telephone 

S 

Web  code 

Vasco  Identikey 
Authentication 

Server  v3.4 

$14,944 

Windows  or 

Linux  Server  + 
many  agents 

Windows, 

Android,  iOS, 
BlackBerry,  Java 

S,  A,  E,  H 

RADIUS/AD, 

SAML(l),  Web  code 

NOTES:  (1)  RSA  and  Vasco  use  a  separate  product  to  provide  SAML  authentication.  (2)  SecureAuth's  mobile  apps  weren’t  available  for  testing. 
(3)  SMS  and  voice  calls  are  charged  extra,  per  call. 

TWO-FACTOR  TOKEN  TYPES:  V  —  voice  calls,  S  —  SMS  text  messages,  A  —  mobile  app,  E  —  email  message,  H—  hardware  token 
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you  don’t  have  to  touch  the  apps  that  are 
sitting  in  the  cloud,  and  once  your  user 
completes  the  second  factor,  they  are 
logged  in  to  the  Web  service  directly.  The 
downside  is  that  not  every  Web  service 
provider  supports  SAML. 

■  Logins  to  a  Web  server  itself,  using  addi¬ 
tional  HTML  code  such  as  SOAP,  Perl  or 
JavaScript.  This  code  makes  the  connec¬ 
tion  between  the  server  and  the  two-factor 
vendor’s  services. 

Vasco,  SafeNet  and  PhoneFactor  can  cover 
all  three  operational  methods. 

All  of  the  products  we  tested  use  out-of- 
band  conversations  to  authenticate  the  sec¬ 
ond  factor.  When  your  phone  is  registered 
and  you  log  in  to  your  account,  you  are  sent 
an  SMS  message  or  asked  to  examine  your 
phone’s  soft  token  app,  or  get  an  email  with 
the  secret  code.  The  number  you  see  on  your 
phone  or  whatever  you  then  type  into  your 
browser  is  how  you  authenticate  yourself. 

Finally,  each  product  comes  in  at  least  two 
different  components:  First  is  a  server  with 
either  a  Windows  or  Web  front  end  or  a  cloud- 
based  service  that  runs  the  identity  manage¬ 
ment,  sets  up  security  policies  and  connects 
the  tokens  with  the  user  directory  stores. 

Next  is  the  Web  service  that  users  interact 
with  if  they  need  to  add  a  new  factor  to  their 
identities  (such  as  a  new  cellphone  number)  or 
to  change  their  passwords.  Some  of  the  prod¬ 
ucts  also  include  various  agents  that  reside  on 
different  servers  such  as  for  VPNs,  SharePoint, 
Outlook  Web  Access  or  database  servers. 

Given  the  number  of  moving  parts,  these 
products  are  not  install-and-forget  kinds 
of  deals,  and  we  were  on  the  phone  and 
exchanging  lots  of  emails  with  the  tech  sup¬ 
port  reps  for  each  vendor.  Prepare  for  a  lot  of 
hand-wringing  efforts,  reading  a  lot  of  help 
files  and  downloading  reams  of  documenta¬ 
tion,  and  calling  in  your  internal  AD  or  secu¬ 
rity  experts  for  help  when  choosing  the  right 
configuration  parameters. 

This  is  because  the  products  touch  a  wide 
swatch  of  your  enterprise  network,  and  more 
effort  is  required  if  you  connect  them  to  your 
cloud-based  apps  too.  They  also  come  in  sev¬ 
eral  different  forms,  such  as  a  cloud-based 
service,  appliance  or  virtual  machine. 

SecureAuth  IdP  comes  out  on  top 

The  products  all  demonstrated  strong  two- 
factor  authentication  capabilities,  so  picking 
a  winner  was  very  difficult.  However,  we  felt 
that  SecureAuth’s  IdP  was  the  easiest  to  man¬ 
age  and  deploy,  had  the  lowest  cost  and  was 
the  most  capable.  While  its  administrative 


interface  can  be  daunting,  it  doesn’t  require 
installing  and  integrating  multiple  software 
pieces.  Not  available  for  our  tests  for  now 
shipping  is  a  smartphone  app. 

RSA  and  Vasco  are  two  old-line  token  ven¬ 
dors  that  have  very  capable,  but  very  costly, 
products.  A  lower-cost  alternative  is  Micro¬ 
soft,  but  for  any  of  these  three  you  will  need 
someone  who  is  well-versed  in  deploying 
these  solutions  because  there  is  a  great  deal 
of  integration  involved. 

Here’s  a  more  detailed  breakdown  of  how 
we  tested  the  products  and  which  vendors 
excelled  in  which  categories: 

1.  Enterprise  management  and  value: 

We  looked  at  the  administrative  interface  of 

the  product  to  set  up  the  various  functional 
areas,  create  security  policies  and  synchro¬ 
nize  with  Active  Directory.  We  also  examined 
how  a  typical  enterprise  would  handle  setting 
up  several  hundred  tokens  and  matching 
them  to  particular  users,  and  how  to  revoke 
a  token  when  an  employee  leaves  a  company. 

SecureAuth,  SafeNet  and  Microsoft  had 
the  best  value  for  the  number  of  features 
offered. 

2.  How  apps  are  secured: 

We  tested  each  product  to  harden  a  sample 
Web  app  running  on  a  Microsoft  IIS  server 
along  with  connecting  to  SaaS-based  services 
such  as  Google  Docs  and  Salesforce.com.  We 
also  looked  at  how  many  specific  apps  can  be 
connected  to  the  two-factor  product  and  what 
kind  of  documentation  is  available  to  config¬ 
ure  and  debug  these  installations. 

RSA,  SecureAuth  and  Symantec  were  the 
most  capable  here. 

3.  What  is  the  end  user  experience? 

We  looked  at  how  the  second  factor  comes 
into  play  during  the  user  login  process,  and 
how  cumbersome/easy  is  it  to  enter.  With 
some  products  such  as  Symantec  and  Secu¬ 
reAuth,  you  can  set  up  multiple  token  types, 
and  then  choose  at  login  time  whichever  one 
is  most  convenient.  We  also  looked  at  the  pro¬ 
cedures  involved  in  bypassing  the  token  if  it 
isn’t  working.  Finally,  we  wanted  to  know  if 
the  product  could  scale.  With  the  exception  of 
TextPower,  most  were  quite  scalable. 

4.  Reporting  and  monitoring: 

We  examined  the  various  reports  avail¬ 
able  and  what  happens  when  something 
goes  wrong  and  how  IT  managers  are  noti¬ 
fied.  Some  products  can  export  or  schedule 
reports  as  well. 

Microsoft,  Vasco  and  Celestix  had  the  best 
reports. 

5.  Pricing  and  free  trials: 

RSA  and  then  Vasco  were  the  most 


expensive  and  SecureAuth  the  least.  While 
most  vendors  only  charge  a  couple  of  bucks 
per  month  per  token,  with  a  large  installation 
this  can  add  up.  There  are  quantity  discounts, 
multiyear  price  breaks  and  24/7  support  fees. 
Each  vendor  has  different  ways  to  calculate 
prices:  Some  charge  on  a  per-token  basis, 
some  on  a  per-user  or  per-server  basis,  and 
some  have  prices  for  added  components. 

Celestix,  PhoneFactor,  SafeNet  and  Syman¬ 
tec  all  make  it  very  easy  to  start  a  free  trial. 

Here  are  the  individual  reviews: 

Celestix  HOTPin 

If  you  are  looking  to  protect  your  Microsoft 
infrastructure,  Celestix  HOTPin  supports 
Microsoft’s  Forefront  Unified  Access  Gate¬ 
way  for  Microsoft’s  VPN,  Web  and  Outlook/ 
Exchange  technologies. 

HOTPin  comes  as  a  pre-installed  hardware 
appliance  or  it  can  be  installed  on  Windows 
Server  2008  R2,  which  is  how  we  tested 
it.  The  first  time  we  installed  the  software  it 
didn’t  finish  and  had  to  be  re-installed.  We 
also  had  some  trouble  connecting  it  to  our 
Active  Directory  store,  but  once  we  did  it  auto¬ 
matically  synchronized  our  users.  There  is  a 
separate  Web  interface  to  handle  the  configu¬ 
ration,  reporting  and  management  tasks. 

HOTPin  supports  a  wide  variety  of  soft 
tokens,  including  smartphone  apps,  email 
and  SMS  messages,  plus  hardware  tokens.  It 
is  primarily  a  RADIUS-based  device,  mean¬ 
ing  that  if  you  are  using  it  as  a  second  factor 
for  your  VPN  login,  it  shouldn’t  take  too  long 
to  get  it  set  up. 

However,  it  doesn’t  currently  support  any 
non-Microsoft  Web  or  SAML  apps,  which  is  a 
big  drawback  if  you  are  trying  to  use  a  second 
factor  for  that  purpose.  It  also  comes  with  a 
nifty  QR  code  generator,  so  you  can  point 
your  phone  at  the  screen  to  capture  the  code 
and  quickly  install  the  app  on  your  phone. 

There  are  numerous  reports  including 
authentication  events  and  error  events  that 
can  be  customized  and  exported,  too. 

The  cost  for  a  100-token  configuration  is 
$5,995,  with  24/7  support  extra.  This  price 
includes  an  unlimited  supply  of  tokens  for 
each  user.  Celestix  also  offers  two  evaluation 
licenses:  one  for  100  users  for  30  days,  and 
one  for  25  users  valid  for  the  entire  year. 

Microsoft  PhoneFactor 

PhoneFactor  was  one  of  the  first  to  provide 
ordinary  outbound  voice  calls  as  the  second 
authentication  factor:  After  you  log  in  to  a 
server  that  has  been  enabled  with  the  soft¬ 
ware,  it  then  calls  your  phone  number  and 


www.networkworld.com  may  20, 2013  35 


CLEAR  TWO-FACTOR  AUTHENTICATION 

CHQIQE 

TEST^ 


asks  you  to  press  the  pound  key  to  verify  who 
you  are.  You  can  also  have  the  server  send  an 
SMS  text  message  or  send  a  notification  to  a 
smartphone  app. 

The  company  was  purchased  last  year  by 
Microsoft  and  will  require  deep  knowledge 
of  Microsoft  services  and  applications  to  set 
up.  It  comes  with  a  Windows  agent  along  with 
Web-based  management  service  and  user 
portal  pieces.  The  agent  runs  on  any  Win¬ 
dows  client  or  server  from  XP  onward.  Other 
than  the  requirement  that  the  machine  run 
.Net  Framework  v2  or  v3,  it  installed  quickly. 

But  to  really  exploit  its  features,  you  will 
want  to  connect  it  to  Active  Directory,  Micro¬ 
soft’s  IIS  and  Terminal  Services,  and  the  Web 
services  that  you  want  to  add  extra  authenti¬ 
cation  protection  to.  While  there  are  wizards 
to  help  you  set  things  up,  you  will  still  need  to 
spend  some  time  with  dozens  of  configuration 
parameters  along  with  entering  parameters 
on  the  management  Web  portal. 

PhoneFactor  has  an  Active  Directory  syn¬ 
chronization  service  that  will  cross-pollinate 
its  users  with  what  is  on  AD,  but  chances 
are  you  don’t  have  your  users’  mobile  phone 
numbers  entered  into  your  AD  store:  You  will 
need  to  have  each  of  them  self- register  on  the 
Web-based  user  portal.  To  set  up  a  SAML  link 
to  a  Web  service,  you  use  the  Windows  agent 
and  swap  site  certificates  to  enable  the  trust 
relationship,  or  add  code  to  your  Web  pages, 
making  this  one  of  the  few  products  that  can 
handle  all  three  operational  methods. 

Debugging  the  Windows  agent  is  excruciat¬ 
ing:  There  are  text  configuration  files  to  edit, 
check  boxes  to  uncheck,  and  dozens  of  param¬ 
eters  that  could  trip  you  up  spread  across 
multiple  menu  screens.  We  came  across  one 
error  in  our  configuration  that  took  some  help 
from  PhoneFactor  tech  support,  and  would 
have  never  figured  it  out  on  our  own. 

To  delete  users  you  need  to  use  the  Web- 
based  management  portal.  This  is  also  where 
you  will  find  the  various  built-in  reports. 
These  can  be  downloaded  or  you  can  set  up 
more  than  a  dozen  different  usage  reports 
to  run  automatically  and  be  delivered  on  a 
schedule  via  email  —  a  nice  touch.  Adding 
users  can  be  done  with  the  self-service  user 
portal.  Both  of  these  portals  are  easy  to  use. 

Overall,  we  think  this  is  fine  for  Windows- 
only  shops,  and  the  variety  of  second-factor 
methods  is  impressive.  The  cost  for  a  100- 
token  configuration  ranges  from  $15  to  $25  per 
token  per  year,  depending  on  the  length  of  the 
total  contract.  This  includes  daytime  business 
support  hours. 

RSA  Authentication  Manager  v8 

RSA  is  the  market  leader  with  hardware 


tokens,  and  with  this  latest  version  of  its 
Authentication  Manager,  it  has  caught  up 
with  the  soft  token  space  as  well.  The  prob¬ 
lem  is  the  large  collection  of  software  compo¬ 
nents  that  are  required:  Besides  the  Authen¬ 
tication  Manager,  there  is  also  the  Adaptive 
Federation  Manager  used  for  SAML  logins, 
agents  for  Web  servers  and  the  self-service 
user  portal.  Most  have  Web-based  front  ends. 
They  can  be  installed  as  VMs  (which  is  how 
we  tested  them)  or  running  on  an  appliance. 
Authentication  Manager  has  a  very  wide  col¬ 
lection  of  supported  applications  that  can 
be  protected  with  a  variety  of  soft  and  hard 
tokens  for  desktops  and  phones. 

New  to  this  version  is  its  dashboard,  which 
provides  a  consolidated  view  of  particular 
users,  what  tokens  they  have  assigned,  what 
groups  they  belong  to,  what  protected 
resources  they  can  access  and  what  authen¬ 
tication  activity  they  have  performed  in  the 
last  seven  days.  Navigating  around  the  admin 
console  is  still  somewhat  painful,  given  the 
numerous  configuration  options. 

Authentication  Manager  can  be  set  up  for 
some  very  complex  token  approval  workflows, 
reflecting  its  hardware  heritage  where  third- 
party  partners  supplied  tokens.  This  can  be 
useful  if  you  want  lost  or  additional  token 
requests  to  be  approved  by  administrators. 

Reports  are  one  of  the  weak  areas  of  the 
product:  While  numerous,  most  are  glori¬ 
fied  log  files,  but  they  can  be  scheduled  and 
exported  in  numerous  formats.  There  are 
also  real-time  monitors  of  authentication  and 
system  activities. 

The  cost  for  a  100-token  configuration  is 
$15,325  for  a  mixture  of  hardware  and  soft¬ 
ware  tokens.  The  base  price  starts  at  $8,500, 
and  tokens  cost  $17  per  year  and  up,  depend¬ 
ing  on  what  form  they  take.  This  was  the 
highest-price  spread,  and  given  the  number 
of  capable  alternatives  that  cost  a  lot  less,  you 
might  want  to  shop  around  if  price  is  an  issue. 

SafeNet  Authentication  Service 

SafeNet  is  one  of  the  most  flexible  products  we 
saw:  It  comes  as  a  cloud-based  service  (which 
is  what  we  tested),  as  an  appliance  or  as  a  col¬ 
lection  of  Windows  Server  2008  software. 
Along  with  the  server  piece,  there  are  numer¬ 
ous  software  agents  that  need  to  be  set  up 
for  particular  servers.  And  it  supports  both 
SAML  and  RADIUS  identity  stores,  includ¬ 
ing  Microsoft  AD,  Novell  eDirectory  and  Sun 
ONE.  It  works  with  a  wide  and  diverse  token 
collection,  including  hard  tokens  and  soft 
tokens  for  Windows  and  Mac  desktops  and 
smartphones,  as  well  as  using  SMS  messages. 

SafeNet  has  the  most  extensive  policies, 
role  assignments  and  user  groups  of  any  of 


the  products  we  tested,  so  you  can  set  up  dif¬ 
ferent  authentication  levels  for  different  indi¬ 
viduals  and  groups. 

You  can  automatically  provision  and 
revoke  tokens  for  particular  users  without 
getting  IT  resources  tied  up.  You  can  set  up 
enrollment  to  happen  automatically,  or  for 
users  to  receive  activation  codes  via  email  or 
SMS  for  particular  kinds  of  tokens. 

SafeNet’s  reporting  module  is  one  of  its 
strengths,  providing  dozens  of  built-in  pre¬ 
formatted  auditing,  billing  and  usage  reports 
that  can  be  customized  and  scheduled  to  run 
and  export  their  results  via  email. 

The  cost  for  a  100-token  configuration  for 
just  soft  token  licenses  is  $2.10  per  token  per 
month,  and  this  increases  to  $2.40  per  token 
per  month  for  software  and  hardware  tokens. 
This  represents  good  value  for  the  money. 

SecureAuth  IdP 

We  think  SecureAuth’s  two-factor  solution, 
called  IdP,  is  the  best  of  the  breed  that  we 
tested.  You  can  run  it  as  an  appliance  or  (what 
we  tested)  as  a  cloud  service.  It  has  a  plethora 
of  menus  and  choices.  IdP  features  some  odd 
true/false  dialog  boxes  that  can  be  a  bit  daunt¬ 
ing,  but  underneath  it  all  it  is  a  very  capable 
product. 

The  company  supports  a  wide  variety  of 
tokens,  hard  and  soft.  Indeed,  IdP  has  an 
interesting  workflow  option  where  you  can 
add  third,  fourth  and  fifth  factors  for  your 
logins.  You  can  mix  and  match  authentica¬ 
tion  methods  too,  and  also  have  a  “silent”  two- 
factor  validation  check  happen  in  the  back¬ 
ground  once  a  user  has  been  identified.  All 
of  this  is  accomplished  with  IdP’s  Web-based 
management  console. 

Users  have  a  self-service  Web-based  portal 
where  they  can  update  their  second-factor 
connections  or  even  reset  their  Active  Direc¬ 
tory  password  without  any  IT  involvement. 
You  can  set  up  a  separate  help  desk  Web  app 
where  you  or  the  user  can  easily  revoke  cer¬ 
tificates  or  disable  tokens  that  have  gone  awry. 
There  is  no  additional  software  to  download 
or  any  agents  to  install. 

One  thing  IdP  doesn’t  do  is  two-way  syn¬ 
chronization  with  any  of  its  identity  stores. 
Although  it  does  support  a  wide  collection  of 
them,  it  uses  these  directories  to  validate  the 
user  ID  and  pull  relevant  information  for  the 
second-factor  process.  Others  in  this  review 
can  do  two-way  updates  of  their  directories. 

Given  SecureAuth’s  expertise  with  SSO 
and  SAML,  it  isn’t  surprising  that  it  could 
easily  set  up  two-factor  logins  to  various  Web 
services  such  as  Google  Apps  and  Salesforce. 
com  with  relative  ease.  But  what  is  lacking 
is  the  ability  to  add  Web  code  to  a  server,  as 
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PhoneFactor  and  others  do.  SecureAuth 
works  around  this  issue  by  having  a  special 
agent  that  adds  SAML  federation  to  either 
IIS,  JBoss  or  Tomcat  servers  and  can  translate 
the  Web  code  into  a  SAML  request  that  IdP 
understands. 

Reports  aren’t  as  simple  to  set  up  and  will 
require  some  customization  and  configura¬ 
tion  of  the  Web  management  console.  Once 
created,  they  can  be  exported  as  well. 

The  cost  for  a  100-token  configuration 
is  $1,950  per  year,  the  lowest-cost  product 
reviewed.  This  includes  all  the  software  and 
support.  Given  the  price  and  extensive  fea¬ 
ture  set,  IdP  should  be  on  anyone’s  short  list. 

Symantec  Validation  and 
ID  Protection  Service 

Symantec  has  been  in  the  two-factor  authen¬ 
tication  space  for  quite  some  time,  and  it 
shows  by  the  number  of  different  ways  that 
you  can  deploy  and  integrate  the  service. 
VIP  has  a  wide  selection  of  tokens,  including 
desktop  and  smartphone  apps  for  the  major¬ 
ity  of  phones,  using  both  the  SMS  service  and 
voice  calls,  and  various  hardware  tokens.  VIP 
has  more  than  30  integration  methods  for 
common  apps. 

VIP  is  cloud-based  with  various  software 
agents,  which  is  both  convenient  and  frus¬ 
trating,  as  there  is  a  lot  of  software  to  down¬ 
load,  install  and  configure.  You  sign  on  to  the 
cloud-based  service  and  start  reading  mul¬ 
tiple  manuals  for  each  component.  The  first 
stop  is  the  VIP  Enterprise  Gateway,  which 
acts  as  a  bridge  between  the  cloud  service  and 
your  on-premises  network  and  AD  user  store. 
It  requires  the  64-bit  version  of  Windows 
Server  2008  R2,  and  you’ll  also  need  Active 
Directory  Federation  Services  v2,  Visual  C++ 
2010  SP1  and  IIS  v7  to  make  the  connection 
between  VIP  and  AD.  While  that  may  seem 
like  a  lot  of  underlying  software,  you  prob¬ 
ably  have  most  of  it  already  in-house.  Once 
this  is  working,  you  can  synchronize  your 
users  in  AD  with  the  VIP  service. 

VIP  supports  multiple  access  methods:  You 
can  use  the  AD/RADIUS  connectors  for  vari¬ 
ous  other  applications  such  as  VPNs  or  install 
SOAP  or  JavaScript  code  on  particular  Web 
services.  It  doesn’t  support  SAML  services 
directly,  although  Symantec  plans  on  add¬ 
ing  it  later  this  year.  Once  you  set  up  all  your 
connectors,  you  run  the  Web-based  VIP  Man¬ 
ager  console  to  add  or  remove  tokens  to  user 
accounts,  run  reports  and  see  what  is  going  on 
across  your  entire  token  collection. 

VIP  has  two  weaknesses:  First  is  its  reports, 
which  are  fewer  than  its  competitors  and  not 
very  customizable,  although  they  can  be 
exported.  Second  is  the  lack  of  policies  for 


granular  or  group  access:  Each  user  has  to  be 
set  up  with  particular  token  credentials. 

Three  years  of  VIP  service  for  100  users  is 
$9,500.  Additional  years  are  $1,500  per  year, 
and  volume  discounts  are  available.  These 
prices  include  an  initial  setup  fee  and  some 
support  and  they  are  just  for  soft  tokens; 
hardware  tokens  are  extra.  One  downside  is 
that  Symantec  charges  7  cents  apiece  for  SMS 
messages  and  25  cents  for  voice  calls. 

TextPowerTextKey 

Even  though  it  is  more  of  a  tool  kit  than  a  prod¬ 
uct,  we  wanted  to  include  TextPower  TextKey 
in  this  review  because  of  a  very  innovative 
method  of  handling  the  second-factor  authen¬ 
tication.  Most  phone-based  systems  call  your 
phone  and  you  acknowledge  by  copying  the 
information  into  your  browser. 

But  TextPower  does  this  in  reverse:  It 
displays  a  one-time  password  code  on  the 
browser  and  asks  that  you  text  the  code  back 
to  its  servers  from  your  phone.  This  serves 
two  functions:  First,  you  completely  avoid  any 
man-in-the-middle  attacks.  Second,  the  sys¬ 
tem  captures  the  originating  phone  number.  If 
somehow  a  hacker  had  gotten  your  phone  and 
attempts  an  intrusion,  TextPower  records  the 
text  message  that  is  received.  It  then  analyzes 
the  text  to  make  sure  it  is  coming  from  the 
phone  associated  with  a  particular  user  ID 
before  access  is  granted. 

TextPower  can  be  used  with  Web  servers 
and  we  had  it  create  some  sample  PHP  code 
that  we  added  to  our  IIS  server.  It  took  a  few 
minutes  to  install  and  get  the  second  factor 
working. 

The  bad  news  is  that  while  it  does  offer 
some  Web  protection,  it  can’t  be  used  for  mak¬ 
ing  SAML  connections  to  Web  services  apps 
like  Google  Docs  or  Salesforce.com  that  don’t 
allow  you  access  to  their  inner  workings.  Also, 
unlike  other  products  that  have  thousands  of 
users  and  tokens  out  in  the  real  world,  Text- 
Power  is  still  mostly  a  demonstration  project 
with  no  commercial  installations. 

For  low-end  installations  that  want  ironclad 
protection  on  a  budget,  TextPower  is  worth 
looking  into:  The  cost  for  a  100-token  configu¬ 
ration  is  $2  per  token  per  month  or  $2,400  per 
year,  which  is  on  the  low  end  of  our  scale. 

Vasco  Identikey 
Authentication  Server 

Vasco  is  the  other  large  player  in  the  hard¬ 
ware  token  market.  It  has  expanded  into 
the  soft  token  space  and  also  into  federated 
authentication.  Unfortunately,  to  get  all  of 
this  working  will  take  some  effort. 

The  basic  authentication  service  is  called 
the  Identikey  Authentication  Server,  and  this 


handles  RADIUS/Active  Directory  authen¬ 
tication  of  its  hardware  tokens.  This  runs 
either  on  Linux  or,  how  we  tested  it,  on  Win¬ 
dows  servers.  It  installs  a  bunch  of  different 
services,  including  an  Apache  Tomcat  Web 
apps  server  and  SQL  database. 

If  you  want  SAML  authentication,  you  will 
need  to  purchase  the  Identikey  Federation 
Services  and  the  enterprise-grade  version 
of  the  Authentication  Server.  This  version 
includes  a  bunch  of  different  application 
agents  or  connectors  that  go  under  the  Digi- 
pass  brand,  including  the  ability  to  secure 
Web  servers  running  Microsoft’s  IIS.  If  you 
want  soft  tokens,  you  will  have  to  purchase  at 
least  one  Digipass  module  for  the  particular 
form  factor. 

You  will  also  need  to  review  separate  man¬ 
uals  for  each  of  these  components,  and  sadly, 
some  of  this  doesn’t  quite  match  the  menus 
displayed  on-screen.  Getting  tokens  activated 
is  somewhat  convoluted,  and  we  needed  help 
from  Vasco’s  tech  support. 

Vasco  supports  a  wide  collection  of  tokens, 
including  smartphone  apps,  SMS  and  email 
messages,  and  of  course  hardware  tokens. 
Downloading  the  right  smartphone  app  will 
also  be  vexing,  as  there  are  several  Digipass 
versions  in  the  iTunes  Store  that  all  function 
in  different  ways.  Once  you  have  your  smart¬ 
phone  app  (and  if  you  are  using  the  latest  v4 
server  software),  you  can  capture  a  QR  code 
picture  from  your  phone  to  authenticate  your 
token  like  some  of  the  other  vendors’  apps. 

There  are  more  than  30  report  templates 
that  can  be  customized  in  a  variety  of  ways 
and  downloaded  once  they  are  complete.  And 
there  are  numerous  preset  policies  that  can 
be  customized  with  menus  that  are  just  as 
complex  as  SecureAuth’s  choices. 

In  addition  to  the  complex  software  col¬ 
lection,  there  is  an  equally  complex  pricing 
scheme.  You  have  three  grades  of  server 
software:  the  standard  level  (which  doesn’t 
include  any  agents),  the  gold  level  (which 
has  a  few  of  them  along  with  high  availabil¬ 
ity  support)  and  the  enterprise  level  (which 
includes  all  connectors). 

The  cost  for  a  100  token  configuration 
includes  a  100-user  license  for  the  enterprise 
version  of  Identikey,  including  maintenance, 
is  $14,944,  which  is  the  most  expensive  prod¬ 
uct  in  the  test  set.  ■ 

Strom  is  the  founding  editor-in-chief  of 
Network  Computing  magazine  and  has 
written  thousands  of  magazine  articles  and 
two  books  on  various  IT  and  networking 
topics.  His  blog  can  be  found  at  strominator. 
com  and  you  can  follow  him  on  Twitter  @ 
dstrom.  He  lives  in  St.  Louis. 
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TRUE  INNOVATION.  ONLY  FROM 
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Introducing  the  PDU  Power  Pivot™,  the  1  UU  V  r  *  VUHC 

patented  newest  innovation  from  Server  Tech,  inventors  of  the  Intelligent  PDU. 

The  PDU  Power  Pivot's  incredibly  flexible  design  with  a  90  degree  rotatable 
power  cord  makes  it  the  ultimate  PDU  for  multiple  racks  and  multiple  facilities. 
See  it  in  action  today.  Visit  us  at  www.servertech.com/PDUPowerPivot 


Server  Technology 

Quality  Rack  Power  Solutions 

www.servertech.com 

1-800-835-1515 


©2013,  Server  Technology,  Inc 


A  90  degree  user  rotatable  power 
cord  simplifies  PDU  mounting. 
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10  jobs  robots  won’t  take  away  from  you 


A  RECENT  slideshow,  “10  Careers  Robots 
Are  Taking  From  You,”  highlighted  things 
that,  it  argued,  robots  can  do  as  well  as 
humans.  But  most  just  augment  and  improve  part  of  what  humans  do, 
not  the  whole  job.  And  let’s  be  clear,  many  of  the  examples  are  pretty 
much  pie  in  the  sky. 

All  the  same,  the  article  got  me  thinking  about  jobs  that  won’t  be  taken 
over  by  robots  anytime  in  the  near  future,  and  so  here’s  my  top  10: 

1.  Chef/line  cook.  I  don’t  care  how  dextrous  and  encyclopedic  robots 
might  become,  the  chaos  that  a  restaurant  kitchen  can  become  when  it 
gets  “in  the  weeds”  and  the  sheer  complexity  of  keeping  a  dining  room 
full  of  customers  happy  won’t  happen  in  my  lifetime.  On  the  other 
hand.  I’m  pretty  damn  old  so  that  window  may  not  be  that  big. 

2.  Member  of  Congress.  This  is  guaranteed.  There  is  no  way  in  hell 
the  pols  would  allow  even  the  smartest  robot  to  replace  them.  Even  if 
a  robot  was  to  somehow  get  nominated  and  win  a  seat,  I’d  bet  there’d 
be  an  “accident”  that  would  probably  involve  it  being  reprogrammed 
with  an  ax  before  it  got  to  Washington.  And  what  about  taking  bribes? 
Nope,  that’s  better  left  to  people. 

3.  NASCAR  fan.  Of  course  robots  can’t  do  this;  some  things  are  just  way 
too  boring  even  for  machines. 

4.  Telephone  customer  service.  Unless  there’s  some  incredible  leap 
forward  in  Artificial  Intelligence  (to  create  what  would  actually  be  an 
Engineered  Consciousness),  a  robot  answering  the  phone  is  a  long,  long 
way  away.  Unless,  of  course,  you  were  to  create  a  robot  that  didn’t  actu¬ 
ally  solve  your  problem,  but  simply  recited  stock  sentences  in  a  barely 
understandable  accent  before  dropping  the  call  without  any  warning. 


5.  Weeding  my  garden.  The  sheer  complexity  of  weeding  a  whole  gar¬ 
den  —  not  just  the  lawn  —  would  require  something  far  smarter  than 
any  robot  that  exists  today.  Watson  might  be  able  to  answer  a  “Jeop¬ 
ardy!”  question  about  roses,  but  it  couldn’t  tell  a  Taraxacum  officinale 
from  a  Lolium  multiflorum. 

6.  High  school  teacher.  I’m  not  just  talking  about  the  teaching  part,  but 
the  managing  of  a  group  of  rowdy,  intractable  teenagers.  I  suppose  the 
cyborg  from  “Terminator”  might  be  capable,  but  unless  Skynet  starts 
a  cross-temporal  outreach  program  we’re  not  going  to  be  seeing  any¬ 
thing  like  real-world  teaching  conducted  by  robots  anytime  soon. 

7.  Driving  in  Los  Angeles  rush  hour.  Sure,  all  of  the  autonomous  driving 
demos  we’ve  seen  are  impressive,  but  have  you  tried  to  navigate  LA 
during  rush  hour?  Or  Boston?  Or  New  York?  Any  self-respecting  robot 
would  just  throw  up  its  hands  at  the  sheer  illogic  of  trying. 

8.  Comedian.  Comedy  is  something  that  is  so  hard  to  define  and  so 
hard  to  deliver  that  it  will  be  a  long  time  before  we  turn  on  the  TV  to 
see  a  robot  deliver  a  decent  joke.  Then  again,  perhaps  that  explains  why 
most  late-night  hosts  aren’t  funny. 

9.  Pole  dancer.  Actually  there  is  an  artist,  Giles  Walker,  who  has  built 
pole  dancing  robots  (you  can  find  them  on  YouTube),  but  these  art 
pieces  have  about  as  much  sex  appeal  as  a  lawn  mower. 

10.  Writing  Backspin.  The  chances  of  seeing  a  robot  deliver  Backspin  in 
the  near  future  are  slim  to ...  BUZZZZT,  b  hmhm ...  [Unexpected  Excep¬ 
tion:  Program  terminated]  ■ 

Gibbs  is  installed  in  Ventura,  Calif.  Your  program  to  backspin@gibbs. 
com  and  follow  him  on  Twitter  and  App.net  (@quistuipater). 
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Florida’s  identity-theft  rate  dwarfs  others 


S  U  R  E ,  T  H  E  headline  gives  away  the  answer, 
but  if  you  had  been  asked  to  guess  which 
state  has  the  highest  rate  of  reported  iden¬ 
tity  theft  you’d  likely  have  chosen  Florida:  A  large  population  of  vul¬ 
nerable  retirees  and  a  generally  high  crime  rate  all  but  guarantee  the 
distinction. 

What  might  surprise  you,  however,  is  the  magnitude  of  Florida’s 
“lead”  over  the  other  49  states.  It’s  mind-boggling.  According  to  statis¬ 
tics  gleaned  from  the  Federal  Trade  Commission’s  most  recent  Con¬ 
sumer  Sentinel  Network  Data  Book,  Floridians  reported  about  70,000 
incidents  of  identity  theft  in  2012,  or  361  for  every  100,000  residents. 

Florida’s  neighbor  to  the  north,  Georgia,  ranks  second  on  the  list,  but 
with  only  194  reports  per  100,000  residents,  or  roughly  half  that  of  the 
Sunshine  State.  Yet  even  that  lopsided  comparison  doesn’t  begin  to  do 
justice  to  the  enormity  of  Florida’s  ID  theft  plague. 

Numbers  three  through  five  are  California,  Michigan  and  New  York 
—  large  industrial  states  with  crime-fighting  challenges  of  their  own  yet 
only  one-third  of  the  identity  theft  as  Florida. 

Nevada  is  No.  6  and  even  carrying  the  full  weight  of  Sin  City  reports 
only  30%  as  many  victims  of  identity  theft  as  does  Florida.  Same  thing 
for  Arizona,  which  like  Florida  is  a  haven  for  retirees. 

Let’s  jump  down  to  the  median,  where  Washington  sits  at  No.  25  and 
Ohio  at  No.  26:  Floridians  are  fully  five  times  more  likely  to  be  victim¬ 
ized  than  residents  of  these  two  states. 

And  then  we  have  the  Dakotas  at  No.  49  (North)  and  No.  50  (South): 
Residents  there  run  only  one-tenth  the  risk  of  identity  theft  as  your 
average  Floridian. 


Of  course,  when’s  the  last  time  you  heard  of  anyone  retiring  to  the 
Dakotas? 

NFL  won’t  kill  fax  either 

The  NFL  Players  Association  announced  recently  that  its  members 
will  now  have  free  access  to  an  electronic- signature  service.  So  would 
this  technology  have  prevented  the  March  contract-deadline  fiasco 
that  cost  the  Denver  Broncos  star  defensive  end  Elvis  Dumervil? 

From  a  press  release:  “Today’s  announcement  follows  an  intrigu¬ 
ing  offseason  in  which  contract  negotiation  logistics  made  unexpected 
headlines.  DocuSign’s  cloud-based  eSignature  platform  assures  that 
every  NFLPA  member  can  sign  documents  ...  without  the  hassles  of 
printing,  faxing,  scanning,  or  overnighting.  NFL  players  will  no  longer 
have  to  search  for  a  fax  machine  to  execute  a  deal.” 

Although  the  release  mentions  neither  a  particular  contract  nor 
Dumervil,  it’s  clearly  alluding  to  the  former  Bronco,  who  had  agreed 
to  restructure  his  contract  in  order  to  stay  with  Denver,  but  —  after 
scrambling  to  find  a  Kinkos  —  faxed  his  copy  of  the  agreement  six  min¬ 
utes  past  a  contractual  deadline. 

So  back  to  the  question:  If  Dumervil  used  DocuSign  instead  of  fax, 
would  he  still  be  with  Denver?  I  emailed  the  NFLPA,  DocuSign  and  the 
latter’s  public  relations  firm.  Shortly  afterward  I  received  a  paragraph- 
long  answer  from  the  PR  rep  that  didn’t  address  my  question.  On  the 
second  try,  I  heard  back  from  an  NFLPA  spokesman. 

“The  answer  is  no.  DocuSign  doesn’t  replace  the  agreement  between 
the  NFLPA  and  NFL  for  player  contracts  to  be  faxed.” ...  Better  technol¬ 
ogy  can’t  solve  every  problem.  ■ 


42  MAY  20, 2013  www.networkworld.com 


The 

Weather 


Applications  to  keep  your  business  moving 


Cisco  WebEx 


BlackBerry®  helps  you  give  employees  the  tools 
they  need  to  be  their  best.  We  provide  a  complete 
business  and  productivity  app  portfolio,  robust 
app  management  and  a  low-cost  app  development 
environment.  And  with  BlackBerry®  Enterprise 
Service  10,  you  can  manage  your  own  corporate 
app  storefront  to  install  mandatory  apps  and  publish 
recommended  apps  to  both  personally  owned  and 
corporate  devices. 


Get  the  full  story  and  a  free  60-day 
BlackBerry  Enterprise  Service  10 
trial*  at  blackberry.com/business 


Cisco  WebEx 
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Keep  Moving 


%fi( (it 


HotSpot 

Printing 


Monopoly 

Millionaire 


Canvas 


ne  offer;  subject  to  change.  Restrictions  apply. 

age  simulated.  ©2013  BlackBerry.  All  rights  reserved.  BlackBerry®  and  related  trademarks, 
1  logos  are  the  property  of  Research  In  Motion  Limited  and  are  registered  and/or  used  in  the 
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The  power  of  25.  Packed  in  the  space  of  one. 

The  powerful  and  affordable  IBM  System  x3650  M4  Express  server. 

To  meet  today’s  growing  demands,  businesses  need  a  highly  capable  server  even  when 
budgets  are  tight.  The  powerful  IBM®  System  x3650  M4  Express®  server,  with  the  latest  Intel® 
Xeon®  processor,  offers  great  value  at  an  affordable  price.  Designed  to  deliver  84%  greater 
performance1  and  handle  as  many  workloads  as  25  prior-generation  IBM  System  x3650 
systems?  x3650  M4  can  help  improve  productivity  and  resource  utilization.  This,  coupled 
with  the  expertise  of  IBM  Business  Partners,  can  help  you  configure  customizable, 
affordable  solutions  to  suit  your  unique  business  needs. 


IBM  System  x3650  M4  Express  t 


$2,199 


IBM  Storwize®  V3700 


OR  S57/MONTH  FOR  36  MONTHS3 
PN:  7915-EBU 

Low  TCP  with  exceptional  performance  per  watt _ 

Pay-as-you-grow  flexible  design  to  lower  cost  and  manage  risk 
Excellent  reliability  and  uptime  for  business-critical  applications  and  cloud 

IBM  System  x3550  M4  Express 


$8,799 

OR  $217/MONTH  FOR  36  MONTHS3 
PN:  2072-S2C 

2U  form  factor  capable  of  24  x  2.5"  drives  (up  to  120  drives  with  expansion  units) 
Virtualization  of  internal  storage  and  thin  provisioning  for  improved  storage  utilization 
Intuitive  user  interface  based  on  the  breakthrough  Storwize  family  user  interface 


$1,679 

OR  $46/MONTH  FOR  36  MONTHS3 
PN:  7914-EAU 


Performance,  flexibility,  cost  and  density  -  perfectly  balanced 
Excellent  reliability  and  uptime  for  business  applications  and  cloud 
Easy  to  deploy,  integrate,  service  and  manage 

Contact  the  IBM  Concierge  to  help  you 
connect  to  the  right  IBM  Business  Partner. 
1 866-872-3902  (mention  102PF10A) 


Read  the  TBR  report 

and  learn  about  IBM’s  No.1  ranking 
for  performance,  scalability  and 
overall  customer  satisfaction. 

Visit  ibm.com/systems/moreforless 

Or  scan  the  QR  code  with  your  smartphone 
to  learn  more  about  the  x3650  M4  Express. 


'Source:  Intel*  Performance  comparison  using  SPECfp*_rate_base2006  benchmark.  Baseline  score  of  266  on  prior-generation  2S  Intel®  Xeon®  processor  X5690-based  (3.46GHz,  6  core,  12MB  L3, 6.4  GT/s,  130W) 
platform  published  at  www.spec.org  as  of  6  Sept  2011.  New  score  of  492  on  2S  Intel®  Xeon®  processor  E5-2690  (2.90GHz,  8  core,  20MB  L3, 8.0  GT/s,  135W)  published  at  www.spec.org  as  of  28  March  2012 
using  two  Intel®  Xeon®  processor  E5-2690,  Turbo  Enabled,  EIST  Enabled,  Hyper-Threading  Enabled,  128GB  memory  (16  x  8GB  DDR3-1600),  Red  Hat*  Enterprise  Linux  Server  6.1  for  x86  64,  Intel®  Compiler  12.1. 
2Results  achieved  by  comparing  recommended  system  to  IBM  System  x3650  (with  Xeon®  E5205)  using  IBM  Systems  Consolidation  Evaluation  Tool  (httpsy/roianalystalinean.com/stgi/).  The  comparison  is  between 
IBM  System  x3650  M4  and  x3650  (does  not  include  x3650  M2  or  x3650  M3). 

"Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  lease  payments 
provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings 
are  subject  to  change,  extension  or  withdrawal  without  notice  and  may  not  be  available  in  all  countries. 

IBM  hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit 
http://www.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  Storwize,  System  x  and  Express  are  registered 
trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  For  a  current  list  of  IBM 
trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  All  prices  and  savings 
estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM’s  estimated  retail  selling  prices  as  of  4/30/2013  and  may  not  include  storage,  hard  drive,  operating  system 
or  other  features.  Reseller  prices  and  savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  States.  IBM  may  not  offer  the  products,  features  or 
services  discussed  in  this  document  in  other  countries.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in  your  geographic  area.  ©2013  IBM  Corporation. 


